 Hello. Hello. Hi, Nitish. We'll go live. Yeah, I'll be live. Okay. Hi, everyone. Wish you a happy 2021 and thank you for joining us on this Sunday evening. I'm your host Rikant and welcome to Cashless Consumers Payment Deep Dives, a series of sessions on real world practice digital payments. In today's session, we'll be looking at killer apps detecting predatory fintech apps. To provide a brief context, you may have read in the news about app based loans, suicides and arrest by various police agencies. Cashless consumer along with Banbridge did a broader study on the larger ecosystem of digital lending, more specifically on the rogue fintech apps. And in today's session, we'll be sharing our findings and thinking aloud on possible solutions to these killer loan apps. Joining us today for the session is Suman Kar, CEO of Banbridge, a cyber security company working on securing individuals and organizations in an increasingly hostile world through a combination of network security products and services. Suman and myself will be jointly presenting over the next 45 minutes and we'll have a Q&A followed by it. Please post your questions on the Zoom Q&A or on the YouTube chat, we'll have them answered at the end. Ode to Suman. Alright. Thanks a ton, Srikant and thank you, a big thank you to Hasgeek and everyone there for letting us do this and I'm really excited to share our little research that we've done. Before we go there, I just wanted to say hi, I'm Suman Kar. I started Banbridge back in 2016 and the idea was to change the way cyber security is practiced in India and, you know, make it more India focused and solve problems that we face here in India. And I think our current work is very much in line with our vision as a company. Right. So what I'll do is I'll just share my screen or I'll share a presentation that we've cooked up to make things easy. And by the way, Srikant, should we just wait for a couple more minutes for other people to join in? Yeah, just give me a minute. I'm just taking the YouTube stream. Yeah. Now I was just saying if we should, you know, wait for a couple more minutes because I think we have only two people. Yeah, I think there are good folks waiting in YouTube. So I think we can get started. Suman, you can get started. Sure. Okay. So our YouTube is up. Yep. Yeah. All right. Okay. All right. So hello and welcome to our presentation on killer loan apps. I have with me a series of slides that I'll be walking you through and we'll explore whatever we found so far purely from open source intelligence. All right. But before we start, I think maybe Srikant, would you like to share a couple of words about cashless consumer and what you're doing with it? Yeah, sure. Yeah. So for those of you joining us for the first time, cashless consumer is a consumer collective focusing on digital payments, looking through awareness or technology data and policy surrounding digital payments to move towards a fair cashless society. So as part of our research, we've been looking at payment technologies for a while. And as an extension to that, we've been studying these fintech apps on lending as well. So we're an open community. Feel free to join us on Telegram. And we keep chatting on all things payments from a consumer perspective. Yes, Suman. Thanks, Srikant. And please do join him. He's done some excellent work, not just on killer loan apps, but also a lot on the digital, I mean, digital payments landscape here in India. And we at Bandwich, we work mostly on security. So there is a lot of overlap there with what Srikant does. And apart from security, we also work on privacy and anonymity. We have products that are geared towards securing both individuals as well as organizations and video consulting or organizations, especially data consulting. And that, I guess, is a short and good enough intro. And I'll just get started with the presentation. Okay, so our target audience for this presentation would be mostly anyone who is interested in the fintech landscape in India, anyone who's working on OSINT, as well as, you know, engineers and product managers. We also hope that bankers and law enforcement executives will watch our presentation at some point of time. And, you know, we have been able to provide them with valuable insights. So we've seen... Suman, your slides are stuck. Can you see them now? Yeah. Yeah. Yeah. All right. Thanks. Okay. All right. So we also hope the journalists will chime in and especially the ones who've been covering the fintech frauds. And we've had some conversations with them. And we think that there's a lot to explore for both journalists as well as us. And, you know, this is just the beginning. And finally, I think this would be a very interesting presentation for anyone who's starting out in, you know, exploring app-based lending or app-based micro- finance, as well as how credit scoring, authentication, KYC, and even, you know, the cash flows through this ecosystem, right? And finally, I think if you are an open source enthusiast, you should probably also watch this because we need your help. Because when we are trying to build supervisory tech for apps, it's not something that we can do it by ourselves. So please watch this and, you know, let us know how you can help. All right. And so shout out to some really helpful people on Twitter who, you know, pointed us out in the right direction or even, you know, shared very good intel with us. We'd also like to thank journalists for covering this on a national level. And there's some fantastic OSINT platforms that have helped us do that. Creative Wolf has really, you know, as I mean, he's been fantastic. He's been awesome, actually. He's been juggling work for 40 hours and then, you know, putting in, burning the midnight oil with us. And of course, a huge thank you to Haskeak for setting this up. All right. And before we actually go into the research pit, I just wanted to make sure that we understand that this is not a complete work. This is something that we are working on actively, even as we speak. So this is a rough cut, rough version sort of. And we've not yet covered every single company or app that is that exists there in this ecosystem. And we've not yet covered, you know, how these apps or companies or individuals are linked with each other. And but we do hope to cover this in over the next couple of months, please. All right. So, I mean, before we get into how to spot a loan app, Srikanth, do you want to spare a moment and explain the app-based lending thing? So, yes. So broadly, we are focused on, say, digital lending and even within that, an arrow segment of instant personal loans. So while, say, digital lending would cover a broader set of loan applications and use of digital tools for lending, here we'll be restricting ourselves to the instant loan apps. So these are apps on which people can download and install and which also provide them instant personal loan, often with no collateral. And these are for people with new to credit and who may not have a formal financial profile, credit score and so on. Yes. Thanks. And so, let's say you need money and you don't really have friends, you know, you're in sudden need and you don't have friends who can probably, you know, lend you 2,000 or 3,000 bucks off the bat. And so, what do you do? Because we have a smart phone and we have almost free internet. I think the most natural reaction for us is to go on to Play Store and see if there is an app for that. Play Store being a very helpful tool that it is, you know, the moment you start typing in, it'll give you like 50 different suggestions on, you know, how to look up loan apps. And, you know, I have some of these cert seditions here on the screen, you know, essentially. And that also gives you an idea of what people are searching for. So people are essentially looking for loans without salary slaves or they want approval in five minutes. So the expectation is that people want low collateral or collateral free loans instantly. Okay. And when you look for that, you are going to find hundreds and hundreds of apps, right? And it's overwhelming when you first start out looking at these apps. So the biggest challenge then is to, you know, find an app that you can trust and that, you know, it's going to solve your problem. And this is where it becomes very tricky because most of these apps, they have a very standard look and feel. If you go on to the app page, you'll see that they have a semi decent logo, they will have a semi decent screen, you know, screen mockups on the app description page. And, you know, you'll probably also see that that app has been downloaded 50,000 or 100,000 times. And you'll see rave reviews as well. So, you know, you'll probably feel very, very comfortable about downloading that app. And that's where people actually go wrong. Because if you scroll down and, you know, if you look at the additional information section, that's where things start getting interesting. For example, most of the apps that have been abusing users trust or, you know, who've been driven, the apps that have driven people to suicide, they are very, very shady. And when you go down to the additional information section, you'd probably see that they don't even have privacy policy. They probably use a generic Gmail address for consumer complaints. And they probably also not have a website. The app that we have here on this screenshot is an exception. Why? Because it has a privacy policy, it has a website. Okay. And Srikanth is going to tell you more about, you know, the statistics on that for the entire universe of apps that he's seen. But so this is the first red flag. Okay. The second red flag that you should look for is what are people saying about this app? So you should go to the reviews page and sort by Newest and then start looking at and start reading at least the, you know, last 20 or last 30 comments. There are two kinds of comments usually. You'd see that, you know, people have mostly trashed the product or you'd see people have given it a five-star review. And if you look at the five-star reviews, they look like they're from BOT accounts. Okay. And while we don't have a complete picture on the BOT ecosystem, but what you can use to, you know, figure out if it's a BOT or not is, you know, you can look at the text. So, you know, if it's a genuine customer, he or she will probably have put in a proper sentence or even a paragraph, right, explaining what he or she liked about the app or what he or she didn't like about the app. On the other hand, these BOT based reviews, they're very, very short usually, you know, and most of them give it a five out of five-star and they'll just, you know, say two or three words like it's a very easy process or, you know, it's a fantastic app. That's about it. Now, once you go through these reviews, you're going to see that, you know, most reviews, most of the user reviews are very, very negative and people will actually start complaining about how they've either not gotten alone or, you know, they might have gotten alone, but they've not been able to repay on time and which has led them to a crew further interest. And another important respect of the reviews is that you would never see anyone from the app company interacting with users. So, the users are mostly left helpless, okay. So, they have no one to complain or they have no recourse. There's another interesting thing that we looked at, that we found actually when we were looking at these apps, and that was how the reviews are distributed. So, if you, this one, this particular app that we have here is an exception, but for most apps that we looked at, the reviews were extremely skewed. You would have, you know, you would have 50,000 downloads and around five to 10,000, five star ratings and probably 500, you know, one star rating from the rate customers and nothing in between. Now, when you don't have any reviews in two, three or four star range, it's another huge red flag, okay. So, you probably shouldn't be downloading that app. All right. Now, if you actually take the trouble of visiting the website that's linked to the additional information page, you would see that it's a very generic, low information website. And, you know, if you look up who owns the domain for this particular website, you'd probably find an entity sitting in China. So, what happens here is essentially, you know, you have apps developed in China as well as, you know, websites linked to those apps, developed by some Chinese organization or actor, and you just have the operations here in India. Okay. Srikant, anything, I mean, would you like to pitch in or do you think I'm right or wrong? Yeah, we are good. Yeah. Okay. All right. We did, we actually looked a little deeper and what we did was we looked at the source code of this. We tried to analyze the source code of this apps as well. Few things stand out immediately once you start analyzing the source code. These apps ask for any number of formations and, I mean, it's mind boggling. I mean, it's very hard to justify why an app that helps you borrow money would want to kill background processors or why they would want to, you know, access your network state, for example, or flashlight. Absolutely. And once you actually start reading the reviews or, you know, start reading the news reports, you'll figure out why they need these permissions. Because, you know, they are using your personal information as a form of collateral. And in order to retrieve that sort of information, they need these very, very broad permissions. Okay. The other thing that we can figure out from the source analysis are the players who actually allow these apps to work. For example, you know, you can figure out what sort of payment processor the app is using or what sort of KYC provider they're using. For example, this app, this particular app that you have on the screen, they are using an API or SDK, an SDK is nothing but a software library that serves a particular purpose. So for example, this app uses an API from Advanced AI. It's a Chinese company working on AI-driven EKYC. So this app basically then, you know, takes your picture, sends it back to a server in China, does a test for, and basically checks it whether you're really individual and then, you know, passes in other information back to the app. Then this app also uses cash-free for payment processing. And you can also figure out that they use a number of third-party tools for these things, pictures and grabbing media from your phone. Okay. So overall, you'd see that any of the, any loan app, any rogue loan app, most of their code is about payment processing. It's about KYC and it's also about retrieving data from your phone. Okay. And Shrikant is going to talk about this in detail in a bit. All right. Okay. And there's another thing, another very interesting thing that we found is these apps actually go all out when it comes to App Store Optimization. So, you know, they would have about, you know, 10, 12 keywords stuffed into the name of the APK so that, you know, it scores better. And, you know, these apps come up higher when you're looking to, looking for a, looking for an app to borrow money from. Okay. And, you know, using so many keywords in the name of an app is actually something that we've not seen very frequently. So that's another indicator that, you know, the app is probably not legit. Okay. All right. So before we go further, Shrikant, would you just walk through the digital lending scene in India? Broadly, digital lending covers, as I mentioned before, a broader set of use of digital technologies for lending. And this includes a peer to peer lending, which is again, done by a set of NBFCs, but slightly at a larger scale for high value loans. And then there is a token that is coming for business lending based on GST and so on. And then there are retail consumer loans. These are basically the instant loan apps, which people can download. And they often do an online KYC and then service new to credit customers. So typically people who don't have a credit score with civil and so on. And they have an end to end digitization of lending. And on the next slide. So at a very high level, if you compare the offline lending or the previous mode of lending by banks and NBFCs and digital lending, in the case of offline lending, you'll have actually agents who will be sourcing leads. So who will be, these will be telecollors. These will be people who say, good pamphlets and then source leads. Whereas in the case of digital lending, you will increasingly find online ads like key drivers. So you will have online ads on say platforms like YouTube or even say Google ads and so on. Or any of the even ads on your phone. So if you have probably some game app, that will probably have an ad as well. And the offline lending used to have a paper-based flow where you need to fill up a form. It will have an approval cycle done offline. As against in the digital lending world, you will have an online application and an instant approval. So in the offline world, you'll again have some kind of a credit bureau check. In the digital world as well, you would have the credit bureau check. In addition to it, you'll also have alternate credit risk providers, particularly for the new to credit customers. Again, in the offline world, you will have typically will be made to open a new account and or otherwise it would be dispersed via a check. Whereas in the case of digital lending, you will get the money instantly using IMPS most likely. Or in some cases, you'll also have a credit card that is sanctioned a little bit. When it comes to collections in the offline world, it's again either predominantly cash or check. Whereas in the digital lending scene, it's mostly done through cards, new PI, and in some cases, Enash. Another comparison on the recovery tactics in case of default followers is that in the case of offline lending, you will have strong recovery tactics like people coming to your home and so on. In the online, that has an equivalent in the form of cyberbullying and social shaming. So these are the WhatsApp groups that get created and the picture of the person will be put in that group and all that person's contact will be in that WhatsApp group. So that's a form of social shaming. And we've seen that this is like predominantly predominant driver in most of the suicides that have happened. And so why are people driven to Switzerland? And I think this is something that she can't flu remember. You told me about this, how people actually end up with 20 or 30 different such apps on their phone. And when we started looking into it, what we figured out was that there's always this gap in the amount of money that an individual needs and what the platform provides. The first hurdle for someone who's looking to borrow via one of these loan or lending apps is that when they need about 10,000 rupees, they'll probably get a loan sanction for only 2 or 3,000 rupees. So that's the first problem. Now even when a 2,000 rupees loan is sanctioned, the individual doesn't really get 2,000 rupees. What they get is 2,000 rupees, something less than 2,000 rupees. And they get less because there's a processing fee, usually 14 or 15% of the loan amount that's deducted already. So what the individual, so when an individual actually gets a loan, what he or she really gets is the interest for the amount he originally wanted to borrow and then an amount which is slightly less than what he wanted. So for example, if he wanted to borrow 2,000 rupees, he would actually have to pay a processing fee of 280 rupees for a 15-day loan and he would get 1,720 rupees in hand. But when it comes to paying back, he'll have to pay back 2,000 rupees as well as 30 rupees interest that he'll be charged for 15 days. Now this is assuming that he's able to pay within the tenure that the app has scheduled for him. What happens in most cases is, A, the app's payment gateways do not work when people actually try to pay on time, which means they fail and they start accruing interest because usually at twice the interest rate that they're charged when they borrowed in the first place. The other thing is, of course, if you need 5,000 rupees, you get a loan of 2,000 rupees only, you'll probably have trouble making ends meet. So anyway, you might actually also end up having trouble repaying the loan after 15 days. In either case, what happens is then that individual fails, when that individual fails to pay, he or she usually gets a call from the lending app and they will try strong arm tactics and they will also suggest that they download another app and take a loan, a second loan from that app and pay the first app back. People actually do that and what they end up with then is they take a loan for the original principle and interest from the second app, they pay back the first app and then they are now stuck in a debt trap with the second app. Now when time comes for repaying the second loan, they again face the same problem with payment providers not working, payment caterers failing. So they start accruing interest, then they go move on to a third app and so on and so forth. So what really happens after, let's say two or three months is that they end up, they wake up like a huge interest rate, huge amount of interest which would be at least five or six times what they had originally wanted to borrow. And that, that sort of debt burden is driving people to suicide, especially during COVID when the economy was not doing great, people lost jobs. I think this debt burden became way too much for a lot of people. Now it won't be fair to say that COVID basically caused this loan scam to explode. What we found when we started digging in was that this has been going on for at least two to three years. In fact, YouTube hashtags are a fantastic way to trace this history. So one of the earliest hashtags that we were able to attribute to this sort of operation or this sort of online loan, app-based online loans, was personal loan. And if you look at, if you look that particular hashtag up on YouTube, you would see that there are ads or presentations made which go back to 2018. And those are mostly ads and they encourage people to download an app, provide basic identity, proof of identity like Aadhaar or Bankart and then basically apply for loans. And this must have worked for a while because we don't really see too many complaints at that point of time. And this went on for 2018 and then into 2019. And then what happened was that as more and more people started downloading these apps and taking loans, people started defaulting. And as soon as people started defaulting, these lending companies started employing strong arm tactics. They started calling contacts up and then people started and consumers also started waking up. And that's when they started uploading their complaints on YouTube against such apps and their strong arm tactics. And you can trace that through the instant loan fraud hashtag. And this was going on till about January or even the first quarter of 2020. And thereafter what happened was the national national lockdown due to COVID. And suddenly there was this huge, huge gap in what people were earning because a lot of people lost jobs or suddenly they started, their earnings went down but their expenses didn't. And so naturally they started turning in droves. He started running into these apps in droves. And then it was then that the problem actually exploded. In fact, it went, in fact, these complaints went viral and national media channels started covering them. And you can see that by looking up the operation of the hashtag on YouTube. Now, why YouTube provides us with a picture of what the apps were doing to attract customers and what the customers were trying to fight back. We also see that these apps were present on other social media platforms like TikTok and Facebook. And we have a screenshot of a video on TikTok. And this is for an app called Cashbin. And Cashbin, if you don't know, is an app by PC Finance which is essentially an India Finance Operations of Opera. And by opera we mean the browser. If you don't know, opera has been actually getting into markets like Kenya, Nigeria and India and flooding the app stores with loan apps and basically exploiting the P2P lending, basically exploiting the gap in the P2P lending industry. But more on opera later, we'll just move on to the breadth of operations. So once the operations are 20, we see that and we can see that by looking at the number of related companies that have come up. We have here essentially the number of companies that we were able to link to one or more of the apps that we have. And we see that things were relatively quiet up to 2017 and then in 2018 and 2019, there was a major push and that also coincided with the fact that India was also pushing digitization and digital economy a lot at the point of time. So we see a lot of players come up during that time. And then in 2020, things just go astronomical. And while we see a lion's share of these companies come up in Bangalore, we see that companies coming up in most of the other major metro towns as well. Two cities have been missing actually from operations and it's been a surprise for us. One is definitely Mumbai and the other is Kolkata. Both of these cities actually register a ton of companies every month and do not find any of the app-based lending companies come up in Mumbai, which is the financial capital or even Kolkata, which is a gateway to the Northeast, is surprising. And more on the optional homes we can't know. Yeah, so we analyzed this series, a dump of 1000 apps of which around 700 to 750 were available on Play Store. So on what was there on Play Store, we were able to further analyze the Play Store metadata. So what Suman showed up on the first screen. So in the Play Store data, we only found that only 300 apps actually had a website. So the remaining didn't have a website. And in Play Store, there's also a physical address that's present. And only 90 of these apps had a physical address. And here it's not even a legitimate address. It could be something like even Bangalore, India. So only 90 of these apps even had something mentioned in the physical address. I mean, this is another proxy indicator to detect if an app is real or fake. So one easy way is to check the address. And then if you have some doubt or want to double check, take that address and search out on Google Maps, you would probably see if there's a company or if there's a there's a buy lane, a gully in which somebody has put a board. So you'll know the difference whether it's an actual company in the city or in some buy lane in some city. So there were 300 other apps which are either part of the Google Play Store or were never uploaded into Play Store. So we don't know whether they were in Play Store and then got deleted or they never made it to Play Store. But there are again 300 other apps on that. Just a second. Sorry. So I just lost the presentation. Do you want me to reshare? Yeah. No. Okay. Yeah. So on one thing, one other thing that we found was among these thousand apps, 600 of them at least used some kind of liveness detection or they took the selfie and then they ran it across an AI. So while this might seem like a very non-trivial thing, this also has a great concern on national security because what this piece of code is does it also collects the facial recognition, worthy image along with the personal details of the individual. So practically it has the potential to say mirror the other database if the person also used say provided other while applying for this loan. And these entities so then collect have faces and then the ID proofs and so on. So which could essentially mean they could build a parallel other system. And this needs to be studied in depth as to what kind of data they are storing and how they are processing. And also 85% of these apps were broadly white label based. So by that I mean these were apps that were deployed out of the same template. So there's probably one company that makes a white label app and then the individual companies that brand themselves as whatever apps they want to do their branding and then release the app. But the app functionality in terms of the technology backend remains the same. So by and large there are we found three to four white label providers on whom a lot of these apps were based on. So that's also the reason why most of these apps were like so similar to each other. Right. And so and the apps it's not just that the apps are similar right. We also found that there's a huge amount of overlap in the directorship that these companies have. When we started looking when we started looking at the apps we also tried to map which registered company each individual app belong to. And then we started looking at the directors of those companies. And as we went along that road what we found was that the same names kept coming up across different companies. And it's not just the names of individuals that came up repeatedly but we saw that you know the same address come up against 30 40 apps in one case. Or we would see same email address that has come up against you know companies that have been registered in four different cities. All right. Now that's the Indian human resource part of the company. But what these app companies also share in common is that they have at least one or two directors whose names appear to be Chinese at this point of time. And in fact what we saw was there would be one Indian individual who would share directorship with multiple individuals with names that appear to be Chinese. And and we see this pattern repeated across cities especially in the companies that have come up between 2019 and 2020. And what surprised us was the fact that in spite of the travel ban in spite of the lockdown the speed at which companies kept getting created did not go down. And all right. So apart from individuals we also wanted to take a look at what all services these apps use. And I think Srikanth has some insight into this Srikanth would you like to. Yeah. So broadly everyone knows that say they use WhatsApp to do recovery of the social shaming and so on. So that's the obvious part of it. And the next obvious part is also that some of these apps have a payment processor. So we do have. So here again there is a distinction. There are apps without any kind of payment integration and possibly the both disbursements as well as the collections happen using individuals GPA account or PTIM or UPI in which case the app will not have any payment processor in it. But we did find good amount of apps having either razor pay cash free or pay you integrated into them. So that's the payment. So these apps do use payment processors which means that they actually use say a bank account that has a pan to it. And this is also the reason why say they form so many companies. So for each company they would get a pan for that company and then they would probably be able to open a bank account and to which they could get payments via these payment processors. And aside from that the next obvious thing would be the EKIC provider. So EKIC post COVID has also been largely focused on video KYC which means that you take a selfie video or a selfie and then upload on the app. And for these they use by and large two providers. One is Hyper Verge. This is an Indian startup providing KYC services and then the other companies Advanced AI. This is the looks like again a Chinese startup based out of Singapore which has operations in six countries. And both of these apps collect the selfies and then use does a deduplication of that over its database so that they know that whether you have gotten a loan from another app and so on and with which they build again your credit profile type your face. And in one sense you can actually say these they are actually also building a facial ID database at a multi-country scale because they're not operating in just one country but typically their operations span across India, Vietnam, Thailand, Indonesia and in some cases Mexico and Nigeria. But largely the facial ID providers have largely focused either remained in Asia probably because to tune their models to Asian faces which follow a pattern. And then some of them also use Alibaba the Chinese cloud service provider although the Indian apps typically use say Amazon AWS or Azure Google cloud platform. The Chinese apps use the Alibaba cloud as their cloud backend and then comes ad brokers. So these are basically drivers to get the app installed. So while these apps are listed on Play Store and depend on Play Store for installation that's not their primary source of app installation. They do depend on ad brokers who kind of show up ads to users who are more likely to install these apps and there are these multiple ad brokers who use the gambling apps, YouTube to push in ads. And then there are analytics providers who basically do their bit in analyzing all your SMSs or in some cases including your say contacts and call the distries to kind of give you a credit score or an alternate score. And here again we have Hyper Verge Advanced AI I think 360 years providers. And moving on we have like white label providers. So as I was mentioning that large section of these apps were kind of generated by white label providers. So we found like at least three entities Pytixie, Epoch and Fintopia. Fintopia interestingly is registered in Bangalore but again is a Panation Fintech as a service white label provider whereas Pytixie and Epoch are headquartered out of China. And so all these three entities basically are like shops where anyone can go and buy like give me a Fintech app or give me a loan app plus the loan back end or give me all technology that's needed for me to run a loan app. So everywhere you can just go and shop the technology required to run operations for these little learning apps. And then they of course use all these apps use wide range of permissions on Android to kind of source data. And what's interesting to note that is while they source data after you install any of these apps they also use data brokers who have embedded themselves into some of the other apps. So even if you don't have a loan app today on your phone depending on the app that you have that could be seemingly unharmful let's say a gaming app for say a bubble shooter or something that your kid plays but it might also be collecting the same amount of data and sending it to data brokers who would then share that to say the analytics providers and the white labels to provide convert that data into risk models and credit models. So these are again some of the technology services that these apps lend and there are like wide range of providers for each of these bits and put together forms the digital lending ecosystem providers so to speak. Okay and Srikant I think the overwhelming theme that we have seen across this ecosystem so whether it's an analytics provider or whether it's a cloud provider or whether you know it's the core we see that most of it is sourced from China and we also see that the money is probably also flowing in from China via individual investors right. Right now I think we really think that this is a fairly serious situation we are in as a country and we need to take some bold steps to address this. So we think there are four areas of action at this point of time one is to definitely raise awareness among individuals so they don't fall into this debt trap. The second one would be to work with platforms like Google and Apple to make sure that these sort of micro finance apps do not end up abusing users trust or they do not abuse personal identifiable information and we also need to make sure that the ads that pop up on platforms like Facebook or you know TikTok or YouTube they do not exploit this particular segment of our population who need money but are probably not financially very aware. On the regulation side this is I would say this is one area where regulation definitely needs to pitch in you know we've had a banking sector a thriving banking sector for decades now and yet you know the unbanked or you know financial inclusion has not been stellar and the lack of financial inclusion often leads to you know people without anywhere to go when they really need money to make ends meet. So this is not like people need money to you know to gamble but these are people who probably need money to go see a doctor or probably you know the rap cab driver who needs money to you know get his his cab repaired so that you know he can run it the next day. So we really hope that you know RBI is going to pitch in you know take a stronger stance and steps and finally we think law enforcement needs to do a lot more we've seen some laudable efforts from the police force in Hyderabad in Chennai but we given the breadth of the operation we think a nationwide approach would probably so better as you can't hear thoughts on this. Yeah so on the enforcement couple of things it's one is regulatory supervision by RBI on how these actors get access to bank accounts payment processor systems and so on so that's that's one area where there has to be stringent guidelines on say due diligence before having gateway accounts and so on and the other is when we still to see the end of this in the sense that there has been some action and investigation by the police which is laudable but more often times especially in the case the context of cyber crime there hasn't been a prosecution so somebody is not going into jail convicted and that needs to kind of go up to have these frauds checked so it should not be like there's some police action that's happening and then it slowly fizzles out in the news and nobody gets arrested and things get back to normal so that's one area again where particularly in the context of cyber crime the prosecution of these crimes needs to have a better role as well. Nothing that you know I forgot to add is that the fact that personal data including you know the other information not your facial biometric information is being shipped off outside of India that itself is a huge national security concern right? Right and the scale at which it goes and we typically see these entities proudly say that they have a database of like 100 million users and so on which is like roughly like 10% of the population and having that kind of detailed level of information essentially kind of defeats the purpose if you're trying to use again systems like other because somebody else also has a copy of almost everything that's there with these sensitive systems. Right so how did we go about figuring out all this information so we did two things one we built a set of tools ourselves and we looked at and we used a few third-party tools. I'll let you can't chime in on the third-party tools but I'll just take a moment to explain what sort of tools we have built. One we've built scrapers to gather information on companies especially the ones that are related to these apps so we look at the app metadata on play store we then cross-reference it with application we then basically cross-reference it with the publicly available metadata of corporates in India and we then also look up the directory information from that corporate data. Okay so that's one thing the other thing that we are doing is we are building our own tool to make it easy for anyone to look up the network of these apps by using indicators or artifacts that we think are interesting for example you know one indicator that we found very useful has been the email ID that is registered against any company okay and or for that matter you know the name of our director so you know you can you should be able to look up how many companies and individuals linked to with just one click essentially okay and I'll go on to that in a second Srikant you want to just go through the other tools that you want? Yes the other tools include like kudos which is an android ios mobile application open source intelligence tool so what they do is they analyze almost pretty much every other app that's out there and provide the analysis for us to query based on a range of factors so this is how we figured out a bunch of apps we use the same facial recognition provider or a bunch of apps are hosted on Alibaba cloud so you can actually do a search on videos of these parameters and then get a list of apps and can monitor these searches as well the other is mob sf which is a open source mobile security framework which can analyze any particular given app so when we are short of intelligence from the standard analysis that's out there includes mob sf reverses an entire app and then lets us go into deep as to what all an app doesn't one could even get a approximately accurate reverse code and then there is a google play api that we use to dump all the data into the database that we have of all the apps so which basically gives given any app it can fetch all the metadata involved or it could even get a list of apps on a particular search term and then populate the list of apps and this is how we kind of build the database of 1000 apps and we still like using these tools to kind of expand the database yeah all right so what i'm going to do is probably give a sneak preview of the tool that we are working on so here it goes it's very much a work in progress and you know we hope to improve it over time all right so it's basically a web app and we've built it on top of view and it has a search basic search interface and you should be able to you know import let's say an email id and you know figure out if there are any matches okay let me just check and whilst someone checks that if you have questions please type them on the zoom q and a or the youtube chat we'll have them answered now right so yeah you should be able to type in you know even a part of a name and yeah if you click on search you'll get a host of companies that you know that have that string either in the email address or you know as the name of the director and you know then you can start digging into each of these apps we also have an app so we have listed almost all the apps that we have seen here and we hope to add more metadata as in when we figure out stuff and we plan to share this with everyone we'll put it up on our website we'll also make sure that the source code is available to everyone and okay so we'll also provide a link for downloading the data okay right I think that would so for for the timing that would be all that we have to show but we'll keep posting as in when we improve this web app and you should be able to get it you know get the information from our twitter feed and you know you should be able to get the source from our github people okay all right so we're almost done anything else all right so yeah Shigant we want to take the last line hello yeah so while we wait for questions feel free to join us as we kind of build this small little tech to kind of be a watchtower on top of these app ecosystems so I'm Shigant you can follow our work on cashless consumer on our website a blog or join our telegram channel and chat with us you can reach to summon on band reach on twitter github let me see if we have any questions okay so Tarnima asks the graph on annual companies registrations what sort of companies are you describing so I think this is on the earlier slide Suman right let's go back this one right companies incorporated by year right right right right okay so okay so the quick can you just repeat the question once please are you describing in the graph of company registration right that's a good question actually so the way we started doing this or building building this graph was we started with one company okay we started with one one or two companies that came up on play store app descriptions and then we basically you know put it in a table and we listed or mapped out the directors for that particular company for each individual director we started looking at what other companies that director that individual is a director of okay and then we listed then we added those companies to our original table and those new new set of companies will have had newer directors right and when then we started following those directors and we did this for a while for about 200 or companies and then we started automating it and then we ended up with around half a million companies okay but I mean what you're seeing here is basically a snapshot of the first 200 250 companies that we looked at okay and these are the ones that have come across that we have come across both via that you know network traversal as well as ones that we have been able to cross-reference or validate with our you know with app descriptions or companies that have come across come up in news reports of arrests that police have made okay okay and okay so next question comes from Raminder Singh he asks how can we enforce play stores like google to have an indicator within play store to red mark few apps like there's no indicator if any app is banned by government but already on my phone and we are not getting any notification to uninstall or it's banned okay I think this largely is about people who have already installed one of these apps but then Google play store removes these apps for whatever reason after the arrests or police writing into them but the users who already download the app I don't think they are getting any notification to uninstall or that it's banned but this is a very good question actually and I think this is something that we need to push Google into doing basically you know it's up to them if they're if they're going to remove an app they should inform existing users that you know this is the reason that they're removing an app yeah and the other question that he had is what is the roadmap for community contribution uh I am assuming he's asking about the stuff we are building or I don't know the question is very broad ended uh so if that's the thing that you're asking I think someone will kind of put up uh when we have uh sorted out some of the initial uh things and then put it up on GitHub and you could feel free to pitch in and and improve that app um he has another question is there a way to know these apps ads reach what's footprint like how many citizens getting their ads reached like this may this might be huge to know their reach I think this is some way of measuring the reach of uh uh the ads that pop up for these uh apps so is there a way to kind of measure the reach of these ads of these apps it would be interesting definitely but right now it's not something we've looked at and we don't really have any data that we can point you to unfortunately we'll keep this in mind right right I think Ravi has an interesting uh comment here Ravi said yeah he says that Google Play Store probably does 25 users when they remove an app but probably not very sure on this so again you know this is something we could probably double check with Google Play Store policy you know and basically you know uh we'll share whatever we learn and ideally the play protect should kind of uh come into these especially given that there is a law enforcement action over these apps so something like a play protect notification should go in I mean even if it's a side loaded app uh when if you have play protect in your device that should alert you saying that you kind of have an app that's we've deemed uh illegal because of a police action or something like that yes and and I think there's another problem here uh so Google Play Store is not the only place that people can install apps from right so you also need to keep in mind that there are third-party app stores or even websites of these companies where you know the APKs are often hosted and people can simply download it from there and start using it right right all right so Siddharth Joshi Joshi asked for the database is there a plan to have a public API to access this DB I linked him up to the Play Store DB that we have but I'll leave it to you to answer for the director information and become information yeah right uh so we are definitely going to have all of this information packaged into a web app I'm not really sure if it makes sense to open up an API because it takes a walk honestly speaking to you know spin up an API and uh unless there's a lot of interest we may not just be able to do that but if you specifically want access please reach out to me I'll be more than happy to share it with you personally okay website should also have so I mean this thing has a suggestion that says website should have few learning videos and also news clipping on thoughts and that probably we could just link this video as well on the website and that's a good suggestion on notice uh we should make some smaller videos on how to detect these apps all right absolutely we don't see any other comment uh is this not anything from else from your side uh so many so not really I think uh uh you know I've covered most of what I wanted to do and anyway this is not this is just the beginning right and we're going to cover this in detail over the next two months and I'm hoping you read about it a lot more in news stories as well and Srikanth has also been sharing information with TV journalists so you know if we not just in print or online it'll also be available to you on uh national tv so so yeah stay tuned over to you Srikanth okay and thank you for joining for this session and I think that's all we have for today and let's hope that this uh loan apps doesn't kill one more person anymore and with that we'll close the session thank you for joining thank you bye