Disclaimer: This report has been written with a view to inform, educate and assess developments that impact public well-being. As such, it relies exclusively on open source information collected and analysed by the author while exercising the Right to Freedom of Speech as elaborated in Article 19 of the 1973 Constitution of Pakistan.

Two new Chinese-origin instant loan (shark) apps namely UrCash and MyCash have emerged on Google Play Store, the former specifically targeting unsuspecting needy people in Pakistan. The apps claim they're part of 'Abroad Group'. Let's dig in to examine their origins and links.

Origins & Emergence of the Apps

We begin with the registration of a domain name metaloan(dot)fun on 13 March 2022 by ***** Bo based in Beijing, China through HiChina, an Internet Service Provider (ISP) owned by Alibaba. Bo is a programmer and web designer by occupation. The website is registered on IP address 47.91.108.166 geolocated in Dubai, UAE. However, it is hosted on a server AS45102 owned by Alibaba US Technology Co. Ltd. of China [First Name of Bo can be shared with law enforcement and security agencies, if required; intentionally withheld].

Two months later or 23 May 2022 to be precise, another domain name abroadfintech(dot)com is registered, again through HiChina/ Alibaba.

The first app, UrCash, is released on 17 June 2022. It has more than 10,000 downloads to date. Known information about the app made available through its Play Store description is as follows:-

The second app, MyCash, is released on 1 July 2022. It has just over 50 downloads to date and is most popular in Russia to date. Known information about the app made available through its Play Store description is as follows:-

App Interface

The User Interface (UI) for both apps is the same, and so are the contents of their respective Privacy Policy.

Data Security Concerns

The following are extracts from the Privacy Policies of both UrCash and MyCash:

During the application process, you shall be required to share/upload certain personal information, your name, e-mail address, gender,date of birth, mobile number, passwords, photograph, mobile phone information,SMS, contact list, installed applications and browsing history, data and login-in credentials of Third Party Platforms (defined below), financial information such as bank documents, salary slips, bank statements, PAN card, bank account no., data from Credit Information Companies, data required to Know Your Customer compliances, requirement and other relevant details (Personal Information).

As part of the Services, you authorize us to import your details and Personal Information dispersed over Third Party Platforms. Third Party Plat

forms are social networking platforms, such as Facebook,LinkedIn and other similar platforms.

You understand and acknowledge that the Company reserves the right to track your location (Track) during the provision of the Services, and also in the event that you stop, cease, discontinue to use or avail the Services, through the deletion or uninstallation of the Mobile App or otherwise, till the event that your obligations to pay the Outstanding Amount(s) to LENDER, exist. Deletion, uninstallation, and/or discontinuation of our Services, shall not release you from the responsibility, obligation and liability to repay the Outstanding Amount(s).

Business Partners: We may use certain trusted third party companies and individuals to help us provide, analyse, and improve the services, including but not limited to data storage, maintenance services, database management, credit bureaus, rating agencies, web analytics, payment processing, and improvement of the Platform’s features. These third parties may have access to your information only for purposes of performing these tasks on our behalf and under obligations similar to those in this Privacy Policy. We may disclose your Personal Information to partners who perform business functions or hosting services on our behalf and who may be located outside Pakistan.

We will retain your Personal Information for as long as your registration with us is valid and the Outstanding Amount(s) is due and payable to LENDER. We may also retain and use your Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Subject to this section, we will delete your Personal Information upon written request for the same received through your registered email-id. Please note, however, that there might be latency in deleting Personal Information from our servers and backed-up versions might exist even after deletion.

Although we provide appropriate firewalls and protections, we cannot warrant the security of any Personal Information transmitted as our systems are not hack proof. Data pilferage due to unauthorized hacking, virus attacks, technical issues are possible and we take no liabilities or responsibilities for it.

You agree to indemnify us, our subsidiaries, affiliates, officers, agents, co-branders or other partners, and employees and hold us harmless from and against any claims and demand, including reasonable attorneys fees, made by any third party arising out of or relating to: (i) Personal Information and contents that you submit or share through the Platform;(ii) your violation of this Privacy Policy, (iii) or your violation of rights of other Customer(s).

You expressly understand and agree that the Company, including its directors, officers, employees, representatives or the service provider, shall not be liable for any direct, indirect, incidental, special, consequential or exemplary damages

Here's where the app developers left a mistake, they claim that the policy will be governed "by the laws of Pakistan" but continues with "courts of law at Pune" (a city in India):

You can search for this line and notice it within some India-based apps, from which it was certainly copy-pasted.

The Pakistan Network

Social media intelligence revealed several job recruitment announcements for Graphic Designers, Collection Officers etc posted by two separate companies "Recon Services (Private) Limited" and "IENVO Technologies" with an email address hosted on a subdomain of abroadfintech(dot)com. Some samples below:

The Privacy Policy for both UrCash and MyCash says the app was developed by a (third) company called AKK Consultants (Private) Limited:

Based on the above, three companies (as of yet) were identified, linked to Abroad Group. Let's examine them in chronological order:

Company 1: IENVO Technologies

Apparently a software solutions and services providers based in Lahore. Its Facebook page was created on 29 October 2020 and website on 31 October 2020. It is not registered with the SECP and is presently operating from Johar Town, Lahore.

One of the contact numbers advertised by IENVO Technologies (0300-0605224) is actually registered in the name of Highnoon Laboratories, a renowned pharma industry based in Lahore. It is quite likely this number is being misused and is not in the knowledge of Highnoon's management.

Company 2: AKK Consultants (Private) Limited

This company was registered with SECP on 20 May 2022 (CUIN: 0202335) in Islamabad. Its office is situated in G-11 Markaz.

Company 3: Recon Services (Private) Limited

This company was registered with SECP on 23 May 2022 (CUIN: 0202516) in Karachi. Its office is situated in DHA Phase II.

Its profile on LinkedIn declares it a 'subsidy' of Abroad Group and involvement in the "fintech business".

Registered as NBFCs?

It has been confirmed with the Securities and Exchange Commission of Pakistan (SECP) that neither AKK Consultants (Private) Limited nor Recon Services (Private) Limited are licensed as NBFCs. This implies, therefore, that these companies are illegally involved in micro-financing and loan disbursement.

Assessment

Based on the detailed findings shared above, I developed a visual summary that presents a macro-level understanding of the operational paradigm for Abroad Group (you can right-click and open the image in a new tab to zoom in for a better view):

My assessment is as follows:

  • IENVO Technologies, AKK Consultants (Private) Limited and Recon Services (Private) Limited are fronts for unknown patrons of the 'Abroad Group' and are most likely collaborating with Chinese-origin entities.

  • The above-mentioned companies are intentionally operating in a dubious manner to avoid disclosure of inter-dependency and linkages.

  • Recruitments in Lahore and Islamabad (as advertised on LinkedIn) suggest Abroad Group may be using the offices of IENVO Technologies and AKK Consultants (Private) Limited, respectively, for operations involving UrCash and MyCash.

  • Based on identical email IDs for correspondence of both UrCash and MyCash, it is highly likely that both apps are managed from the back-end in Pakistan and also certain entities of Chinese origin.

  • These companies may be involved in activities pertaining to AML/ CFT. Of particular concern is their dubious method of employee recruitment, non-licensing as NBFC with SECP and geographic dispersal.

What can be done?

  • The SECP can initiate proceedings against AKK Consultants (Private) Limited and Recon Services (Private) Limited for operating as NBFCs without authorisation.

  • The State Bank of Pakistan (SBP)/ Financial Monitoring Unit (FMU) can initiate can initiate an inquiry based on leads shared above, particularly from the AML/ CFT perspective.

  • The Pakistan Telecommunication Authority (PTA) can restrict access to the identified websites and IP addresses in Pakistan.

  • The National Telecommunications Information Security Board (NTISB) can issue a notification blacklisting the apps as they collect sensitive personal information, relay it outside Pakistan and absolve themselves of any data security liabilities.

  • Law enforcement action can be initiated against YouTubers etc who are involved in promoting these apps in Pakistan, such as imposition of penalties etc.

If you appreciate the effort I put into this report, you can support me by buying me a cup of coffee. Supporters will get early (and in some cases permanently exclusive) access to future reports.