Devendrasinh Gohil, a resident of Rajkot and owner of Dealing Beneficial Financial Services Pvt. Ltd, discovered the fraudulent scheme when he received a frantic call from a distressed woman in Mumbai, pleading for mercy.
The woman, who was in tears, said that she had borrowed a little amount of money through CandyCash, a loan app apparently run under Gohil’s company name, but was unable to return the enormous interest she had been charged. She showed her desperation, threatening to commit suicide if the harassment continued. Gohil reassured her that he did not run a mobile app and instead ran an offline finance organisation that was approved by the Reserve Bank of India (RBI).
Gohil started receiving similar calls from people in Lucknow, Surat and Mumbai. Many of them even reached his office. “All of them pleaded with me to write off their loan. They alleged that recovery agents from CandyCash are resorting to blackmail, threatening to circulate morphed photos of the borrowers and their relatives if loan repayments are not made,” said Gohil.
Turns out, Gohil was not the only victim.
The CandyCash app that gave out loans used his company name as the parent company on Play Store. The app was being run with the phone number of a 14-year-old boy from Gujarat. Neither Gohil nor the boy had any clue about it.
After the frantic calls, Gohil was confused and concerned.
The fraudulent app even included the locations and contact information for Gohil's authorised branch offices in Ahmedabad, Rajkot, Vadodara, and Junagadh to give the malicious scheme some legitimacy.
Gohil lost no time and immediately contacted the neighbourhood police and the cybercrime cell of Gujarat.
What did the police investigation reveal?
Speaking to Decode, Gandhinagar Cybercell Police Inspector, Manish Bhakhariya said that as soon as Gohil registered the complaint, the cybercell police contacted Google to pull down CandyCash from its App Store and also asked the search engine company for further details like email id and mobile number associated with the fraudulent app.
“We found that both the Gmail account and the mobile number belonged to a 14 year old boy, who had no knowledge of the scam. The boy is a resident of Babra taluka in Amreli, Gujarat,” said Bhakhariya.
According to the police, the scammers tricked him to get the OTP from him and register his account for the phoney loan app- CandyCash.
Screenshot of the CandyCash App on Google Play Store (Image Courtesy: Devendrasinh Gohil)
After Google received the complaint, the app was pulled down within 36 hours. Bhakhariya and his team got access to CandyCash through reverse engineering for further investigation. “Initially, we found that the app was being operated from Bengaluru, but later it was revealed that the scammers were using VPN to evade the tracing of their location. We still don’t know their actual location,” he said.
Explaining how fraudsters got access to the tons of personal information of the victims through CandyCash, Bhakhariya said, “Once you download it, the app will ask for permissions to access your contact list, your gallery and even Aadhaar number. Not giving much thought to it, the gullible person using the app gives them access to these sensitive information.” This is how the operators of the app engage in blackmail, threatening to distribute manipulated photos of their victims to their contacts.
In order to safeguard consumers from being tricked by deceptive or risky financial products or services, Google laid out strict guidelines for the personal loan apps, which will make sure that user-confidential information is not accessed. The tech giant has prohibited these apps from accessing sensitive data, such as photos and contacts, of the users.
It has mandated personal loan applications in India to complete the Personal Loan App Declaration and provide the supporting paperwork. For example, if the company is licensed to issue personal loans by the Reserve Bank of India (RBI), it must submit a copy of the license for inspection.
‘Such cases are not new’
Bhakhariya told Decode that such cases of duping and blackmailing through fraudulent loan apps is not new. According to him, there was a significant rise in such cases post Covid, as many people lost their jobs during the lockdown. “We have shut around 200-300 such apps on Google Play Store since then,” he said.
The Gandhinagar Cybercell police has dealt with numerous such cases where people in need of a small amount of money (around Rs 2000-3000), flocked to such apps for loans and ended up being the victims of the scam. “These apps charged unrealistic interest rates from their victims, while blackmailing them with their usual threats,” Bhakhariya said.
Of late, the scammers have tweaked their modus operandi as they now randomly send out links to these loan apps via WhatsApp and Telegram, in a bid to trick gullible people. The fraudulent loan apps usually register themselves falsely under an RBI-approved financial service organisation to create a garb of legitimacy. Just as CandyCash used the name of Dealing Beneficial Financial Services Pvt Ltd, an RBI-approved organisation.
Last month, a Rs 20-crore loan fraud was busted by Hyderabad police, where a ten member gang fraudulently raised personal loans on a mobile banking app. The accused gang was involved in duping around 1300 people across India.
In another case, Gujarat Cyber Police nabbed two men who were connected with a Chinese gang that operated an instant loan app and extorted money from people.