Earlier this month, 32-year-old Babu Lal received an alarming message from an unknown engineering student. The 2nd year BTech student had taken a loan from a fraudulent lending app named CashPocket on Google Play Store and was now facing harassment from the lenders. Unable to repay the amount that was supposedly due, the young student was contemplating suicide as a way out of his ordeal. Before deliberating upon such a drastic step, he reached out to Babu, who had previously raised alarm about CashPocket and other fake loan apps that are available to users on Google Play Store and Apple App Store.
Babu, who works at a fintech start-up, had reported CashPocket as an unlawful lending app to the Play Store team on 5th September while the app had just a few thousand users. By the time the app was removed for violating Google Play guidelines, it had already notched up over one lakh users in the store and was even included in the top 20 finance apps list.
The dangerous rise of such apps on Google Play Store and Apple App Store is well documented in Babu’s personal website. “Despite the government and RBI taking actions on such fake loan apps in the past, they keep reappearing on Play Store and App Store. It brings to question how Google’s and Apple’s safety policies can be violated so easily and so often by malicious actors,” Babu says. The intimidatory tactics employed by these illegal apps include spam, use of morphed images, threat calls late at night, etc, and have resulted in suicides in the past. The number of complaints against illegal lending apps doubled to more than 1,060 in 2023, the finance ministry had informed the parliament in July.
In February this year, the Ministry of Electronics and IT (MeitY) had blocked close to 100 lending apps at once from these stores for extortion, fraud and data theft. Many of them allegedly had links to Chinese entities as well. In the past three months alone, over 400 fraudulent lending service apps have been removed. Despite repeated removals, these apps use a series of criminal manoeuvres to find their way back to Google’s and Apple’s digital application stores and continue to harm unsuspecting users. This has not gone unnoticed by the Centre.
“We have recognised the user harm caused by these [fake lending] apps and will be initiating a ‘whitelist’ approach in association with the RBI,” Rajeev Chandrasekhar, Minister of State for Electronics and IT, said earlier this month. Publishing any financial apps outside of this permitted list will attract criminal liability on Play Store and App Store, marking a shift from the protection these platforms enjoyed under the IT Act so far.
“With existing powers, the Government of India cannot criminally prosecute them [Play Store and App Store]. We can only block specific apps after they have been reported. But the issue is that once it's blocked, they re-appear in other forms,” the minister said. These provisions of criminal prosecution will be included in the upcoming Digital India bill. “The Digital India Act will give [the Centre] power to regulate Play Store and App Store. If they host harmful apps, they will face consequences,” minister Chandrasekhar also said.
Why Play Store And App Store Are Failing
In response to queries sent by Outlook Business, a Google spokesperson said, “In the past years, we have consistently worked towards combating fraud by personal loan apps on Google Play by updating our policies and review processes.” In September 2021, Play Store amended its developer program policy for lending apps in India, making it mandatory for publishers of loan apps to prove that they are lenders registered with the RBI. App Store under Apple Inc also instituted similar measures within India.
Despite all this, fraudulent apps show up on these stores by misusing the corporate identity of legitimate businesses. In July, a fake loan app appeared on Play Store under the false developer name of Bajaj Finance Ltd. While the app had nothing to do with the listed non-banking financial company (NBFC) from the Bajaj Group, it was able to deceive Google and more than 50,000 users before it was eventually removed.
“Most of the time, these fake apps steal or misappropriate the identity of small, registered NBFCs that do not have much of an online presence. They build a fake website for themselves, submit fake or stolen certification, and use copy pasted privacy policies from legitimate businesses to bypass Google and Apple guidelines,” says Babu.
In many cases, the legitimate businesses are not even aware that they are being impersonated on Play Store and App Store by such fake loan apps. Outlook Business reached out to a handful of businesses who got to know about fraudulent apps misusing their names only after it was removed from the application stores. “We have never published any apps on Play Store or App Store and the [fake lending] app was wrongly using our name. We will discuss this matter internally and consider reporting this to cybercrime authorities,” says an executive at one of the businesses.
Impersonation of other businesses is a violation of the agreement issued by Google and Apple to app developers on its stores. However, during the review process on both the stores that involve manual and automated processes, fraudulent apps continue to dupe Google and Apple.
While corporate identity theft, and its subsequent misuse, remains a concern for Play Store and App Store, now they have to deal with other forms of deception as well. Babu noted that in the past few weeks, many apps that were once removed by Apple and Google, resurfaced under the guise of ‘loan guide apps’ or ‘wallpaper apps’. Once downloaded, these apps allow users to access blocked apps through a process known as sideloading. This method effectively allows users to download a restricted app without relying on official application distribution routes such as Play Store and App Store. In contrast to regular downloads from application stores, this method makes it impossible to track how many users end up using these unlawful apps.
Although these deceptive apps have been getting removed from Play Store and App Store within a week or less, it reaches tens of thousands of unwary users by then, taking advantage of poor advertising safeguards within these platforms.
Flaws In Paid Promotion
Every time a user searches for any kind of application on the Play Store or the App Store, the search result is often preceded by a list of advertisements. Actors behind fake lending apps use this ad feature to boost the visibility of their fraudulent apps.
Babu cites the example of SunGold Loan app that was available on App Store for just five days during the month of August. By the time it got removed on 28 August, the app which was impersonating Ahmedabad-based Sungold Capital Ltd managed to break into the list of top 50 finance apps available on the store. This was possible via aggressive promotion on AppStore Ads. Babu explains, “Huge ad spending by these apps mean that they get more downloads than legitimate lending apps in just a matter of days. By the time Apple or Google realise their error and block the apps, the ads help them generate tens of thousands of users if not more.”
In another case, an app named Kirloskar Loan, impersonating renewable energy solutions company Kirloskar Solar, gained 80 positions in less than a week to achieve 7th spot in App Store’s top finance apps list. It was ahead of popular, legitimate financial apps like HDFC Net Banking app and Navi Loan App. This was possible due to its aggressive ad strategy which went unnoticed by Apple for a few days.
These advertisements are often linked to specific search queries such as ‘quick loan’ or ‘instant loan’, leading desperate credit seekers towards fraudulent lenders. While many of these advertisers are registered in India, some also operate from foreign locations such as China, Hong Kong and Nigeria. In spite of having dedicated policies to prevent misleading or harmful ads, both Google and Apple have sometimes faltered on preventing the dangerous ads that popularise lending apps which are unlawful in the first place.
Not commenting specifically on the above-mentioned apps, Apple told Outlook Business that the company is aware of some apps representing a false association with financial institutions, and that it has been continuously taking action against such developer accounts. In 2022, the Cupertino-based company terminated 428,000 developer accounts globally for potentially fraudulent activity.
What Next For Google And Apple In India?
The whitelisting framework was suggested by the Standing Committee on Finance in July this year. Sources close to both Google and Apple say that such a framework will in fact make it easier for the companies to prevent unlawful apps on their platforms.
“The problem is that the number of apps is way too much. Even when there is some amount of due diligence exercised by Google and Apple before listing apps on their stores, this is not foolproof. Ultimately, stores have to rely on user reports especially for cases such as misrepresentation, impersonation, coercion etc. Given the volume of such reports, it can take a lot of time to address them,” says Rohit Kumar, founding partner at The Quantum Hub (TQH), a public policy firm. “Except for some kind of labelling or whitelisting framework for high-risk use cases like lending, I don’t see other viable options.”
According to Apple’s App Store Transparency Report 2022, out of the 6.1 million app submissions it received last year, more than 1.6 million were rejected with over ninety thousands of them rejected for violating safety guidelines.
Presently, Play Store and App Store are defined as ‘intermediaries’ under the IT Act and enjoy safe harbour i.e. exception from regulatory liability in case of user harm resulting from third-party actions on their stores. Provisions in the upcoming Digital India bill might not just hamper the safe harbour enjoyed by the application stores, but even impose criminal liability.
Such a move can have unintended consequences and cause operational difficulties for Google and Apple, warns Kumar. “Diluting safe harbour can have an adverse impact on innovation and free expression in the entire ecosystem. This is not advisable. Imposing criminal liability can be problematic as well; it can create difficulties in hiring and also open avenues for potential harassment. Perhaps a better option is to prescribe due diligence requirements and more specific dos and don'ts, while imposing heavy monetary penalties so that platforms take compliance seriously,” he says.
For Google and Apple, the issue with fake loan apps is not specific to India. It is prominent across various markets, especially in low-income countries where vast sections of the population do not have access to easy credit. “If safe harbour is removed, the app distributors will face an existential crisis. These are global companies with global products, and they have evolved over a very long time with the nature of internet being the same everywhere. Criminal liability will cause a huge disruption for them and the users,” says Nikhil Narendran, partner at Trilegal law firm. He adds that such provisions are not seen in other modern democracies.
For now, Google and Apple are keen on improving their safety standards so that users do not come across fraudulent lending apps on their platforms. “We continue to uplevel our efforts in this space, and engage with law enforcement agencies and industry bodies to help address this issue,” said a Google spokesperson.
Going forward, tightening the safeguards against fake lending apps will not just protect end users but also help Google and Apple stay away from criminal liabilities and potential jail time. As for lending app users, it is advised that credit seekers do not engage with seemingly fraudulent apps and to report any unlawful activities to law enforcement authorities. This is what Babu told the 2nd year BTech student as well.
The draft of the Digital India bill will be made public soon and the bill is expected to be tabled in the parliament in the upcoming winter session.