Updated: 14 Mar 2023 @ 14:45 UTC
Background: An illegal loan app Galaxy Loan, also going by the alias LibreCash Columbia 2, was published on Google Play Store on 06 December 2022. The app may appear to be a standalone operation but an extensive open source investigation reveals it is linked to multiple entities in India and Egypt with a common (and yet unknown) beneficiary in China.
As of 08 March 2023, the Galaxy Loan app ranks 16th in the Finance category in Pakistan's Play Store community, having been downloaded on more than 100,000 devices. The app is currently running multiple ads on Facebook, including one which misuses the logo of National Bank of Pakistan (NBP) to deceive the audience. Samples below:-
The app's description shows it mentions an email address [email protected] for correspondence, which also appears on the website. A reverse lookup of this email address reveals the name of an individual Hammad Ur Rehman Taj who is an SEO specialist based in Lahore, Pakistan. The physical address listed on Play Store is: 1st Floor, New Climate Plaza, 2 Street 36, G 13/2 G-13, Islamabad, Islamabad Capital Territory. This address is used by multinational corporation 'B Braun Pakistan' and it is unclear whether another company shares the same floor space with it.
Facebook's transparency features reveal that the Facebook page for this app is managed by 6 admins, all of whom are based in China:
The key giveaways of this app are its Facebook page and mentioned email address for correspondence: [email protected]. A reverse lookup of this email helped uncover links to an India-based app 'Whale Cash' and 'Lemon Loan', of which the latter was renamed to 'Rupee Mini'. Both these apps targeting India are not available anymore and are believed to have been taken down on the request of India's government.
The apps targeting Indian citizens included two stakeholders which are long-time registered companies in Ahmedabad, Gujarat:
(1) Zytel Investments Ltd
(2) Kuber Udyog Ltd
It is unclear whether these apps were in fact as fronts for these apps or their corporate identities were being misused without their knowledge.
An inspection of those apps, including cached webpages, reveals these apps have further links to a set of apps targeting Egyptian citizens, all managed by a front company calling itself 'Wild Hunter Technology', led by one Karim Zaki from Cairo.
Summary
Galaxy Loan @ LibreCash Columbia 2 is the Pakistani prong for a transnational network of loan shark apps. It is not operating with a license and is not known to be patronised by any domestic front company
Apart from deceiving and trapping users, these apps aim to collect and store Personal Identifiable Information (PII).
Most of the back-end IPs used by these apps are hosted on Emirati (UAE) IP addresses with servers hosted by Alibaba in mainland China. Facebook pages created for some of these apps also have multiple admins based in China managing them
Apps targeting Indian citizens have been removed from Play Store but continue to deceptively lure Pakistani and Egyptian citizens, particularly the former through sponsored ads on Facebook
Visual Summary
I have developed the mind map below that attempts to summarise key findings and observations. Right-click and zoom in the image below to examine better:
It is worth mentioning that the Securities and Exchange Commission of Pakistan has already listed this app, among others, as illegal and has requested relevant authorities such as the Pakistan Telecommunications Authority and Google. However, the app is still available on Play Store, raising concerns about harmful delays in takedown.
Technical Findings
The mind-map below contains a broad summary of technical details acquired through reverse-engineering of the app by Haider Mahmood, a UK-based Security Architect. Some additional findings related to apparent connections/ ownership were added by me. Right-click and zoom in the image below to examine better:
Investigations based on reverse-engineering of Galaxy Loan/ LibreCash Columbia 2 reveal the app is dependent upon an architecture hosted by the domain zldayu(dot)com which is owned by Zoomlion Dayu Water Environment Holdings Co., Ltd., in China. The company's registered English name is Zhonglian Dayu Water Environment Holding Co. Ltd. We were also able to determine that payment gateways hosted on AliPay (Alibaba) are used for financial transactions.
Several known stakeholders were identified including Li Haihui, Chairman of the Accounting and Taxation Industry Practitioners Branch of Chengdu Xinlian Association and concurrent Chairman of Sichuan Guangxing Certified Public Accountants Co., Ltd. More prominently, Li is a representative of the Sichuan Provincial People's Congress.
Haider shares these pertinent observations:
The app has the similar functionality of a RAT/spyware (considering the amount of permissions it takes (screenshots below).
The app has some enhanced AntiVM features (will not work on virtual machines or emulators).
Codebase looks like several loan based apps are sharing the same code base and a different interface, so there may be more apps on Play Store by the same developers.
There are references and endpoints used at Pakloanneat.com (looks like a possibly different loan app sharing the same codebase/APIs).
It is unclear to what extent this Chengdu-based company is involved with the operations of the app i.e. whether it is the beneficial owner itself or another proxy. At present, we are unable to investigate beyond this point.
The report may be further updated in the future.