Disclaimer: This report has been written with a view to inform, educate and assess developments that impact public well-being. As such, it relies exclusively on open source information collected and analysed by the author while exercising the Right to Freedom of Speech as elaborated in Article 19 of the 1973 Constitution of Pakistan.
It seems that SeedCred Financial Services Limited ("SeedCred"), parent company of Pakistan's infamous loan shark app Barwaqt, has floated new/ alternate apps in the market that again target users in Pakistan. Before I present my cumulative assessment, on which I base my inference, it is imperative to share some critical observations.
QarzaLoan
This app appeared on Play Store on 18 May 2022 and has been installed in more than 50,000 devices to date. Publicised details include:
Email address for correspondence: [email protected]
Privacy Policy: Hosted on the domain qarzaloan.com [website archive] [policy archive]
QarzaLoan's domain name was purchased on 5 May 2022. Its IPv6 address is 2a06:98c1:3120::c apparently based in the UK. However, an examination of detailed Domain Name Server (DNS) records reveal links to the Text (TXT) and Mail Exchange (MX) servers of Feishu.cn and 163.com.
Feishu is the China-only version of an enterprise collaboration platform developed by ByteDance which also owns TikTok (Feishu's global variant is known as Lark/ Lark Suite).
163.com is one of the many content platforms owned and maintained by Guangzhou Netease Computer System Co. Ltd of China ("NetEase"). NetEase is one of the most famous game development companies in China and they also have a dedicated email hosting platform which appears to be in use by a client who is the patron of QarzaLoan.
What we can deduce from the above is that QarzaLoan's back-end managers/ patrons communicate and correspond using the Feishu platform and one or more email addresses hosted by NetEase.
It was discovered in a YouTube review (1:46 mark) that QarzaLoan sends an OTP to users through a WhatsApp Business account with Pakistani number +923011129833:
What does the prompt above mean, when it says "This business is now working with other companies to manage this chat?"
QarzaLoan app collects detailed sensitive personal information including photo/ video capture, CNIC uploads, access to contacts list etc because its User Interface (UI) is the same as Barwaqt.
AsaanLoan
This app appeared on Play Store on 9 July 2022 and has been installed in more than 1,000 devices to date. Publicised details include:
Email address for correspondence: [email protected]
Privacy Policy: Hosted on the domain asaanloan.pk [website archive] [policy archive]
Compared to other instant loan (shark) apps, AsaanLoan's domain name was registered with a .pk Top Level Domain (TLD)/ PKNIC on 29 June 2022. Its primary IP address 159.138.110.189 is routed from Singapore but has a back-end server (AS136907) hosted in Hong Kong SAR and owned by Huawei Cloud.
AsaanLoan collects detailed sensitive personal information including photo/ video capture, access to contacts list etc.
How are QarzaLoan-AsaanLoan-Barwaqt linked together?
Observation 1: If you go through the Terms & Conditions listed on QarzaLoan's website, it's a replica of the same contents posted on Barwaqt's website. In fact, the website admin of QarzaLoan forgot to substitute a clear mention of Barwaqt on QarzaLoan's website; I'm referring to Section 7.2 (v) on both websites for a more precise marking:
Observation 2: AsaanLoan's website header is a giveaway; it literally mentions "QarzaLoan" in the title, same used in QarzaLoan's website. In fact, the latter contains some Chinese characters in the source code [the developer may have forgotten to change it]:
Observation 3: If you access the main sub-domain for AsaanLoan's Privacy Policy (removing '/privacy(dot)html' from the URL), you can see mentions of QarzaLoan and the link to its website [again, careless developer who forgot to remove these trails]:
Observation 4: The website template for QarzaLoan is almost the exact same replica as that of Barwaqt. Screenshots below for comparison:
Observation 5: Google Play Store URLs for both QarzaLoan and AsaanLoan contain the mention of "Barwaqt":
https://play.google.com/store/apps/details?hl=en&id=asaan.loan.pk.cash.easy.personal.barwaqt.fast.paisa.credit.loanapp
https://play.google.com/store/apps/details?id=loan.credit.cash.easy.jazz.quick.qarza.lend.barwaqt.easypaisa
Integration with EasyPaisa API?
I haven't seen any evidence of QarzaLoan and AsaanLoan integrated with EasyPaisa API. However, the fact remains that Barwaqt, the identified link with both apps, is definitely integrated with API.
Assessment
Based on the detailed findings shared above, my personal assessment is as follows:
QarzaLoan and AsaanLoan are managed from China.
QarzaLoan and AsaanLoan have indisputable links and similarities with Barwaqt owned by SeedCred.
SeedCred is very likely operating QarzaLoan and AsaanLoan as alternatives to Barwaqt [remember that Barwaqt is still out of Play Store and is only hosting a direct download APK file on its website].
QarzaLoan and AsaanLoan have not been advertised or declared openly as products of SeedCred, thus hiding this information from Pakistani state regulators.
What can be done?
The Securities & Exchange Commission of Pakistan (SECP) can order an inquiry against SeedCred in collaboration with the State Bank of Pakistan (SBP) and relevant economic crimes investigation authorities as there could be AML/ CFT issues involved; this would necessitate an investigation by SBP's Financial Monitoring Unit (FMU).
The Pakistan Telecommunication Authority (PTA) can write to Google Play Store and request a take-down of QarzaLoan and AsaanLoan.
The National Telecommunications Information Security Board (NTISB) within Cabinet Division, Prime Minister's Office, can issue a warning about QarzaLoan and AsaanLoan via notifications, as done for Barwaqt and other malicious apps.
Law enforcement action can be initiated against YouTubers etc who are involved in promoting QarzaLoan and AsaanLoan, such as imposition of penalties etc.
Ideally, as a long-term measure, the Government of Pakistan can write to Google and request that stringent evaluation protocols be followed before allowing dubious apps to flourish on Play Store in the future.
If you appreciate the effort I put into this report, you can support me by buying me a cup of coffee. Supporters will get early (and in some cases permanently exclusive) access to future reports.