Table of Contents
Fetching ...

The Cost of Convenience: Identifying, Analyzing, and Mitigating Predatory Loan Applications on Android

Olawale Amos Akanji, Manuel Egele, Gianluca Stringhini

TL;DR

The paper addresses the privacy and regulatory gaps in digital lending apps by introducing LoanWatch, a reproducible, cross-country audit that combines LLM-assisted policy-to-permission mapping with static and dynamic analyses. Applying LoanWatch to 435 Android loan apps across five countries, the authors quantify widespread non-compliance with both national regulations and Google’s FSP, and demonstrate concrete data-exfiltration pathways, including launch-time access to sensitive data. A harmonized permission set reveals a higher risk surface than either policy alone, and dynamic analysis confirms real-world pre-registration data leakage and coercive data-use tactics. The work highlights enforcement gaps and offers actionable recommendations for regulators, platforms, and developers to strengthen privacy protections and curb coercive debt-collection practices in digital lending. It also provides a framework and publicly releasable artifacts to support automated compliance monitoring and policy reform in emerging markets.

Abstract

Digital lending applications, commonly referred to as loan apps, have become a primary channel for microcredit in emerging markets. However, many of these apps demand excessive permissions and misuse sensitive user data for coercive debt-recovery practices, including harassment, blackmail, and public shaming that affect both borrowers and their contacts. This paper presents the first cross-country measurement of loan app compliance against both national regulations and Google's Financial Services Policy. We analyze 434 apps drawn from official registries and app markets from Indonesia, Kenya, Nigeria, Pakistan, and the Philippines. To operationalize policy requirements at scale, we translate policy text into testable permission checks using LLM-assisted policy-to-permission mapping and combine this with static and dynamic analyses of loan apps' code and runtime behavior. Our findings reveal pervasive non-compliance among approved apps: 141 violate national regulatory policy and 147 violate Google policy. Dynamic analysis further shows that several apps transmit sensitive data (contacts, SMS, location, media) before user signup or registration, undermining informed consent and enabling downstream harassment of borrowers and third parties. Following our disclosures, Google removed 93 flagged apps from Google Play, representing over 300M cumulative installs. We advocate for adopting our methodology as a proactive compliance-monitoring tool and offer targeted recommendations for regulators, platforms, and developers to strengthen privacy protections. Overall, our results highlight the need for coordinated enforcement and robust technical safeguards to ensure that digital lending supports financial inclusion without compromising user privacy or safety.

The Cost of Convenience: Identifying, Analyzing, and Mitigating Predatory Loan Applications on Android

TL;DR

The paper addresses the privacy and regulatory gaps in digital lending apps by introducing LoanWatch, a reproducible, cross-country audit that combines LLM-assisted policy-to-permission mapping with static and dynamic analyses. Applying LoanWatch to 435 Android loan apps across five countries, the authors quantify widespread non-compliance with both national regulations and Google’s FSP, and demonstrate concrete data-exfiltration pathways, including launch-time access to sensitive data. A harmonized permission set reveals a higher risk surface than either policy alone, and dynamic analysis confirms real-world pre-registration data leakage and coercive data-use tactics. The work highlights enforcement gaps and offers actionable recommendations for regulators, platforms, and developers to strengthen privacy protections and curb coercive debt-collection practices in digital lending. It also provides a framework and publicly releasable artifacts to support automated compliance monitoring and policy reform in emerging markets.

Abstract

Digital lending applications, commonly referred to as loan apps, have become a primary channel for microcredit in emerging markets. However, many of these apps demand excessive permissions and misuse sensitive user data for coercive debt-recovery practices, including harassment, blackmail, and public shaming that affect both borrowers and their contacts. This paper presents the first cross-country measurement of loan app compliance against both national regulations and Google's Financial Services Policy. We analyze 434 apps drawn from official registries and app markets from Indonesia, Kenya, Nigeria, Pakistan, and the Philippines. To operationalize policy requirements at scale, we translate policy text into testable permission checks using LLM-assisted policy-to-permission mapping and combine this with static and dynamic analyses of loan apps' code and runtime behavior. Our findings reveal pervasive non-compliance among approved apps: 141 violate national regulatory policy and 147 violate Google policy. Dynamic analysis further shows that several apps transmit sensitive data (contacts, SMS, location, media) before user signup or registration, undermining informed consent and enabling downstream harassment of borrowers and third parties. Following our disclosures, Google removed 93 flagged apps from Google Play, representing over 300M cumulative installs. We advocate for adopting our methodology as a proactive compliance-monitoring tool and offer targeted recommendations for regulators, platforms, and developers to strengthen privacy protections. Overall, our results highlight the need for coordinated enforcement and robust technical safeguards to ensure that digital lending supports financial inclusion without compromising user privacy or safety.
Paper Structure (31 sections, 3 figures, 3 tables)

This paper contains 31 sections, 3 figures, 3 tables.

Figures (3)

  • Figure 1: Example of a threat message received by users.
  • Figure 2: Example of a message sent to the contacts of a defaulting user.
  • Figure 4: Overview of LoanWatch Methodology.