One night in November 2020, Sai Aravind phoned a friend. During the two-hour conversation, the 23-year-old cried nonstop, almost unable to speak through his tears.
Aravind died by suicide the following day. Police say he was upset after text messages about him were sent to his entire contact list. “He sends his mother and sister into prostitution and lives off the money they earn,” a text read. Another said: “He sends his friends to have sex with his mother, wife and daughter.”
Aravind did not send these texts himself. Fifteen days before his death, he had taken out a loan of Rs 3,000 using an app called SnapIt. When he failed to repay, the team behind the app allegedly sent all his contacts messages to humiliate him.
His friend said Newslaundry the company also reportedly threatened to “transform” his photos and post them online. Newslaundry saw copies of these messages sent to Aravind’s contacts from unknown numbers.
Aravind is one of ‘at least 64 people’ across India who have committed suicide in the past year after being ‘threatened’ and humiliated by online loan apps, cybersecurity expert says Pravin Kalaiselvan.
These apps offer small loans without a lot of paperwork, but charge high interest rates, often over 100%. They then intimidate customers unable to repay the loans on time with astronomical interest. Most of the apps require users to grant the apps access to texts, images and contacts when installing them, even the camera. The apps then copy the contact lists and photos, and use them to harass the victims.
Earlier this year, the Reserve Bank of India identified 600 “illegal lending apps” operating in India. the central bank had received more than 2,500 complaints against online lending apps from January 2020 to March 2021.
On Sept. 9, Finance Minister Nirmala Sitharaman of “illegal loan apps” that offer loans at “exorbitant interest rates” and use “predatory clawback practices.” To work, these apps must register with the RBI and be part of their “whitelist” – which Sitharaman asked the RBI to prepare – of lending apps that are allowed to be listed in app stores. , the RBI has also developed standards to “ensure that a borrower must deal directly with a bank for lending and collection” to eliminate third party agents.
Analysis by the Mobile Security Framework, which is a tool for testing app security, noted that while installing loan apps like Rupeeway, Smart Pokket, and Tytocash, users tend to automatically grant these apps permission to access contact data, or even take pictures. and videos using the phone’s camera – although some of these permissions are not required for the app to work.
This is then used to harass them.
Pravin Kalaiselvam, director of a cybersecurity group called SaveThem India Foundation, believes the problem is serious enough that the Reserve Bank should intervene.
“RBI should ask Google to remove unauthorized lending apps from its Play Store. RBI should also whitelist eligible apps that can be listed on the Play Store,” he said.
As for the police, Kalaiselvam said only a “handful of states” like Telangana, Odisha and Tamil Nadu take such cases seriously. “DGPs in all states should direct police stations to file FIRs on complaints from these victims,” he said.
It’s not illegal for a lending app to get loaned money back, “but there is a way to do it,” Kalaiselvam said. “The RBI has guidelines in place. They can sue borrowers. But they don’t, because they know what they’re doing is illegal.
Nandkishore Harikumar, a cybersecurity analyst, said his team investigated 60 to 70 loan apps, all of which required “maximum permissions” to install.
“Consumers installing the apps never wonder why a lending app needs access to your microphone or your photo gallery,” he said. “But due to their needs, they allow all permissions. Even if we identify an app and report it, the people behind the app rename it and re-download it. »
Harikumar said it took Google a long time to remove even many of these apps, and the apps would still be available on websites if not the Google Play Store.
He pointed out that these apps are promoted under the name of existing and credible authorities. Last month, for example, a group posing as the Mananthavady Cooperative Farmers Society online encouraged users to download malicious apps. “They use believable names to deceive people and claim to have an NBFC license,” Harikumar said. “In India, we still don’t have the regulatory authority to report this type of data theft. This cannot be solved with mere technical expertise. A mix of technology, policy and government intervention is needed.
“I made the biggest mistake of my life”
Hillary Manjeshwar, in Pune, wanted to take out a loan of Rs 30,000 in July to pay her child’s school fees. A Google search led her to the Creddit app, which she quickly installed.
“He asked for permission to access my contacts, gallery etc,” Manjeshwar said. “In the app, I entered basic information like name, age, payslip, PAN card, Aadhaar card. Then I got a notification saying I was approved for a loan of Rs 27,500.
To get the money, the app tricked Manjeshwar into uploading a video of herself promising that she would return the money to Creddit App. She did so and received a message on WhatsApp asking her to digitally sign an agreement using an Aadhaar OTP.
“I did,” she said, “and the amount was transferred to my account within minutes.”
His troubles had just begun. She thought she had 90 days to repay the loan, but the fine print in the agreement she digitally signed said she had to repay it within 15 to 30 days. The interest rate was 0.3% per day. When she couldn’t repay on time, the interest rate jumped to 0.6% per day.
“I had made the biggest mistake of my life,” Manjeshwar said. “I missed the due date and started getting 50-100 calls from different numbers. I asked them to give me some days. But they started sending abusive messages to my phone contacts. Manjeshwar claimed his relatives even received “legal notices” demanding repayment, followed by men demanding the money.
“I was humiliated and harassed,” she said. “I would have ended my life if I wasn’t responsible for my two children.”
On September 9, Manjeshwar filed an online complaint on the National Cyber Crime portal. She also went to the local police station and filed a complaint saying she would be ‘forced to commit suicide if this harassment didn’t stop’.
Similar stories have been reported in the media.
On September 13, a 24-year-old woman was arrested in Pune for the murder of her grandmother. police suspect the woman is planning to rob her grandmother to repay loans she took out from online credit applications.
Relatives of Sohail Shaikh, also in Pune, received morphed photos of his wife after he used two apps – Magicloan and Cashmarket.
In May, 38-year-old Malad resident Sandeep Koregaonkar committed suicide. Edited photos of him had been sent to colleagues, friends and relatives after downloading a loan application, .
In Koregaonkar’s case, a loan collector was charged with inciting suicide. But in most others, no arrests were made.
At least eight people said Newslaundry about the harassment they suffered after using different loan applications. They claimed that the police had dragged their feet in filing complaints, let alone registering FIRs.