RapiPlata Loan text on mobile behind skull in red light

A fraudulent loan application posing as a legitimate financial service has infected more than 150,000 devices running iOS and Android before being removed from official app stores.

The app, known as “RapiPlata,” reached a Top 20 ranking in the finance category on SimilarWeb’s platform in Colombia, highlighting the extensive reach of this sophisticated threat.

Approximately 100,000 victims downloaded the app from Google Play, while the remainder obtained it from the Apple App Store, revealing vulnerabilities in the security screening processes of both platforms.

Marketed as a quick loan service targeting Colombian users, RapiPlata concealed extensive data theft capabilities behind its seemingly legitimate interface. Once installed, the app requested permissions far exceeding what would be necessary for loan processing, including access to SMS messages, call logs, calendar events, and lists of installed applications.

RapiPlata Loan text on mobile behind skull in red lightRapiPlata Loan text on mobile behind skull in red light

The app claimed these permissions were essential for assessing creditworthiness and sending payment reminders, but in reality, they enabled comprehensive surveillance of users’ devices.

Check Point researchers identified the malicious app in February 2025 using their Harmony Mobile detection engines, which flagged it as malicious through advanced machine learning models. Their analysis revealed that RapiPlata is part of a larger SpyLoan malware operation linked to previously identified threats. Alarmingly, the app had minimal detection coverage on VirusTotal, allowing it to operate undetected for months before its removal.

Victims reported severe repercussions beyond data theft, including harassment through messages and emails. Attackers frequently threatened users with being labeled as delinquent debtors, even though many had never taken out any loans. In some instances, the app operators contacted victims’ contacts from stolen address books, falsely claiming outstanding debts and damaging personal reputations.

These social engineering tactics compounded the technical exploitation, resulting in both digital and real-world consequences for affected users.

RapiPlata Loan text on mobile RapiPlata Loan text on mobile

Despite its removal from official stores in March 2025, RapiPlata continues to pose threats through alternative distribution channels. The application’s website remains active and deceptively displays a Google Play download button that redirects users to external sites for unauthorized app installation.

This redirect chain (using URLs like https[:]//t[.]copii[.]co/9YEPe) demonstrates the operators’ determination to sustain their malicious campaign despite increased scrutiny.

The app’s most sophisticated feature was its comprehensive data exfiltration mechanism. Upon first launch, RapiPlata scanned all SMS messages for specific keywords, ostensibly to evaluate financial standing. However, the keyword list revealed broader surveillance intentions, including mundane Spanish terms like “día” (day), “hasta” (until), “para” (for), and “sido” (been), which have minimal financial relevance.

This extensive scanning effectively captured nearly all communications, which were then uploaded to command-and-control servers for analysis and exploitation.

 

Calendar exfiltration proved particularly dangerous for corporate users, as it often contained Zoom meeting links and presentation attachments. Attackers could leverage this intelligence to join sensitive corporate discussions undetected, accessing intellectual property and strategic business information.

Similarly, call logs enabled mapping of social and professional relationships, facilitating targeted spear-phishing campaigns against contacts in the victim’s network.