Digital lending applications, commonly referred to as loan apps, have become a primary channel for microcredit in emerging markets. However, many of these apps demand excessive permissions and misuse sensitive user data for coercive debt-recovery practices, including harassment, blackmail, and public shaming that affect both borrowers and their contacts. This paper presents the first cross-country measurement of loan app compliance against both national regulations and Google's Financial Services Policy. We analyze 434 apps drawn from official registries and app markets from Indonesia, Kenya, Nigeria, Pakistan, and the Philippines. To operationalize policy requirements at scale, we translate policy text into testable permission checks using LLM-assisted policy-to-permission mapping and combine this with static and dynamic analyses of loan apps' code and runtime behavior. Our findings reveal pervasive non-compliance among approved apps: 141 violate national regulatory policy and 147 violate Google policy. Dynamic analysis further shows that several apps transmit sensitive data (contacts, SMS, location, media) before user signup or registration, undermining informed consent and enabling downstream harassment of borrowers and third parties. Following our disclosures, Google removed 93 flagged apps from Google Play, representing over 300M cumulative installs. We advocate for adopting our methodology as a proactive compliance-monitoring tool and offer targeted recommendations for regulators, platforms, and developers to strengthen privacy protections. Overall, our results highlight the need for coordinated enforcement and robust technical safeguards to ensure that digital lending supports financial inclusion without compromising user privacy or safety.

翻译：数字借贷应用（通常称为贷款应用）已成为新兴市场小额信贷的主要渠道。然而，许多此类应用要求过度权限，并滥用敏感用户数据实施胁迫性债务催收行为，包括骚扰、敲诈和公开羞辱，影响借款人及其联系人。本文首次开展了跨国测量研究，评估贷款应用对国家法规及谷歌金融服务政策的合规性。我们分析了来自印度尼西亚、肯尼亚、尼日利亚、巴基斯坦和菲律宾官方注册机构与应用市场的434个应用。为实现政策要求的大规模可操作性，我们采用LLM辅助的政策-权限映射方法将政策文本转化为可测试的权限检查，并结合对贷款应用代码与运行时行为的静态与动态分析。研究发现显示，已审核应用中普遍存在违规现象：141个违反国家监管政策，147个违反谷歌政策。动态分析进一步表明，多个应用在用户注册前即传输敏感数据（联系人、短信、位置、媒体），破坏了知情同意原则，并为借款人和第三方的后续骚扰行为创造条件。根据我们的披露，谷歌已从Google Play下架93个被标记应用，累计安装量超过3亿次。我们主张采用本方法作为主动合规监测工具，并为监管机构、平台和开发者提供针对性建议以加强隐私保护。总体而言，我们的研究结果表明，需要协调执法与强有力的技术保障措施，以确保数字借贷在促进金融包容性的同时不损害用户隐私与安全。