This study addresses the widespread privacy and security threats posed by Android digital lending applications, which frequently engage in permission abuse, unauthorized collection of sensitive data, and coercive debt collection practices. Conducting the first large-scale, cross-national compliance assessment across five countries encompassing 434 apps, this work proposes a novel policy-to-permission mapping approach powered by large language models (LLMs). By integrating static code analysis, dynamic behavior monitoring, and data flow tracking, the framework systematically identifies violations of both national regulations and Google Play policies. The investigation reveals that 141 apps breach national laws and 147 violate Google’s policies. These findings directly prompted Google to remove 93 high-risk applications—collectively installed over 300 million times—demonstrating an effective, automated, and proactive regulatory pathway for app store governance.

Digital lending applications, commonly referred to as loan apps, have become a primary channel for microcredit in emerging markets. However, many of these apps demand excessive permissions and misuse sensitive user data for coercive debt-recovery practices, including harassment, blackmail, and public shaming that affect both borrowers and their contacts. This paper presents the first cross-country measurement of loan app compliance against both national regulations and Google's Financial Services Policy. We analyze 434 apps drawn from official registries and app markets from Indonesia, Kenya, Nigeria, Pakistan, and the Philippines. To operationalize policy requirements at scale, we translate policy text into testable permission checks using LLM-assisted policy-to-permission mapping and combine this with static and dynamic analyses of loan apps'code and runtime behavior. Our findings reveal pervasive non-compliance among approved apps: 141 violate national regulatory policy and 147 violate Google policy. Dynamic analysis further shows that several apps transmit sensitive data (contacts, SMS, location, media) before user signup or registration, undermining informed consent and enabling downstream harassment of borrowers and third parties. Following our disclosures, Google removed 93 flagged apps from Google Play, representing over 300M cumulative installs. We advocate for adopting our methodology as a proactive compliance-monitoring tool and offer targeted recommendations for regulators, platforms, and developers to strengthen privacy protections. Overall, our results highlight the need for coordinated enforcement and robust technical safeguards to ensure that digital lending supports financial inclusion without compromising user privacy or safety.