28 Fake Call History Apps Defraud Users After 7.3 Million Downloads
Cybersecurity researchers have uncovered a coordinated scheme involving 28 fraudulent Android apps on the Google Play Store that falsely advertised the ability to look up the call history of any phone number. Rather than delivering the promised functionality, the apps enrolled users into deceptive paid subscriptions, charged recurring fees, and provided entirely fabricated call data — defrauding users financially while delivering no legitimate service.
The 28 apps collectively accumulated 7.3 million downloads before being identified and removed from the Play Store.
How the Scam Worked
The False Promise
Each app in the campaign was marketed with claims of accessing call logs for any phone number entered by the user — a capability that does not legitimately exist on Android for privacy and security reasons. Despite this technical impossibility, the apps attracted millions of downloads from users hoping to verify call histories for personal or investigative purposes.
The Deceptive Subscription Flow
Once installed, the apps followed a consistent pattern:
- Prompt user to enter a phone number they wish to "look up"
- Display a loading/searching animation creating the appearance of data retrieval
- Present a paywall requiring subscription payment to view "results"
- Charge subscription fees ranging from several to tens of dollars per month
- Deliver fabricated call history data — entirely invented records with no connection to actual calls
- Continue billing users who did not notice the recurring charge or struggled to cancel
Subscription Trap Design
The subscription interfaces used dark patterns to maximize conversion and minimize cancellation:
- Prominently displayed "trial" periods with obscured auto-renewal terms
- Cancellation processes buried in multi-step account settings
- Billing through the Google Play payment system, making disputes more complex for users
- App names and interfaces designed to appear as legitimate data services
Scale and Impact
| Metric | Detail |
|---|---|
| Total apps discovered | 28 |
| Total Play Store downloads | 7.3 million |
| Distribution channel | Google Play Store (official) |
| Monetization method | Fraudulent paid subscriptions |
| Data delivered | Fabricated — no real call history data |
| Targets | Android users globally |
The 7.3 million download figure represents a significant user base exposed to financial loss. Even at relatively modest subscription rates, the scheme could have generated tens of millions of dollars in fraudulent charges before researcher discovery and app removal.
Why These Apps Bypassed Google Play Review
The campaign's success in reaching the Play Store at scale reflects several challenges in automated and manual app review processes:
Deferred Malicious Behavior
Many fleeceware and scam apps behave legitimately during the review window and only activate fraudulent subscription flows after initial install or after a delay — a technique that has repeatedly bypassed Google Play Protect's automated analysis.
Legitimate API Usage
Unlike traditional malware, these apps did not require dangerous permissions or exploit system vulnerabilities. They used only standard Play Billing APIs — the same payment infrastructure used by legitimate apps — making them difficult to distinguish from genuine subscription-based services at the API level.
Category Ambiguity
Apps marketed as "phone lookup" or "caller ID" tools exist as a legitimate category, providing cover for fraudulent apps that superficially resemble genuine products during review.
Fleeceware: A Persistent Threat Category
This campaign falls into the fleeceware category — apps that abuse subscription billing to extract money from users under false pretenses. Fleeceware does not necessarily contain traditional malware (trojans, spyware, RATs) but causes financial harm through:
- Deceptive functionality claims — the app does not do what it advertises
- Aggressive subscription enrollment — often on first launch or during onboarding
- Complex cancellation — maximizing subscriber retention through friction
- Fabricated or useless data — delivering "results" that satisfy the transaction flow without providing real value
Fleeceware campaigns have been a persistent problem across both the Google Play Store and Apple App Store, with security researchers repeatedly uncovering coordinated waves of fraudulent apps in categories including:
- Phone number and caller ID lookup
- Reverse image search
- Wi-Fi speed testing
- Horoscope and fortune telling
- PDF/document conversion
Recommendations for Android Users
Avoid "Phone Lookup" and "Call History" Apps
No Android app can legitimately access the call history of phone numbers you do not own. The ability to retrieve another person's or a random phone number's call records does not exist on Android — any app claiming this functionality is either fraudulent or misleading.
Review and Cancel Unwanted Subscriptions
Check your active Google Play subscriptions:
- Open the Google Play Store app
- Tap your profile icon → Payments and subscriptions → Subscriptions
- Review all active subscriptions and cancel any you do not recognize or did not intentionally start
Dispute Fraudulent Charges
If you were charged by one of these apps:
- Request a refund through Google Play — Google's refund policy covers subscriptions enrolled through deceptive means
- Contact your bank or card issuer to dispute charges if Google Play refunds are unsuccessful
- File a complaint with your local consumer protection authority
General App Safety Practices
- Read reviews critically — look for reports of unexpected charges in user reviews
- Check the developer's other apps — fleeceware campaigns often involve multiple apps from the same developer account
- Review permissions before installing — subscription-based scam apps rarely need unusual permissions, but excessive permissions on utility apps warrant scrutiny
- Verify claimed functionality is technically possible before paying for it
Google's Response
Google's Play Protect system and manual review processes eventually resulted in the removal of the 28 identified apps following researcher disclosure. Google has stated ongoing work to improve detection of deceptive subscription practices, including enhanced review of apps in categories historically associated with fleeceware.
Users who downloaded any of the 28 apps should verify their subscription status and request refunds as appropriate through the Google Play refund process.