Cybersecurity researchers have discovered 28 fraudulent Android applications on the official Google Play Store that collectively accumulated over 7.3 million downloads while systematically defrauding users through hidden subscription billing. The apps claimed to provide access to call histories for any phone number — a capability that does not technically exist on Android — but after steering users into paid subscriptions, delivered only fabricated data. One app alone exceeded one million downloads before being flagged.
Technical Details: How the Fraud Worked
The apps operated under a deceptive value proposition: they claimed to allow users to look up the incoming and outgoing call records of any phone number. This is not possible on Android — the operating system's permission model prevents apps from accessing call logs belonging to other users or other devices. The apps knew this, and were not attempting to provide the service they advertised.
The fraud pattern followed a consistent structure:
- Discovery: Users found the apps through Play Store search results for terms like "call history lookup," "check who called me," and similar queries
- Free trial hook: Apps presented a free trial period to establish engagement
- Subscription enrollment: After the trial, users were enrolled into recurring subscription charges — typically processed through Google Play's in-app billing infrastructure, which attaches charges to the user's Google account
- Fake output delivery: After payment, the apps returned fabricated or nonsensical call history data, presenting made-up call records that bore no relationship to any real phone activity
- Retention by complexity: Cancellation procedures were deliberately obscured, relying on users' unfamiliarity with managing Play Store subscriptions to extend the billing period
This class of fraud is known as fleeceware — apps that do not contain traditional malware (no data theft, no device compromise) but weaponize subscription billing mechanics to extract money from users under false pretenses. Fleeceware exploits a gap in Play Store vetting: Google's automated review primarily screens for malicious code, not for deceptive service claims that require evaluating the functional accuracy of what an app promises to deliver.
The fact that one app alone reached over one million downloads suggests either significant advertising spend driving installs, or effective keyword optimization within the Play Store's search algorithm — or both.
Who Is Affected
Users who downloaded any of the 28 apps and proceeded past the free trial stage may have been billed recurring subscription fees. The exact apps and their package names have been documented by the researchers involved; users can check their Google Play subscription management page to audit active subscriptions:
- Android: Open the Play Store → Profile icon → Payments & subscriptions → Subscriptions
- Via browser: Visit play.google.com → Account → Subscriptions
The affected user population spans any country where the apps were available on the Play Store. The 7.3 million total download count suggests a significant international distribution.
Users who installed the apps but declined subscription enrollment were not financially harmed, though the apps may still be present on their devices and should be removed.
What You Should Do Right Now
- Audit your active Google Play subscriptions immediately. Open the Play Store, go to Payments & subscriptions → Subscriptions, and review every active subscription. Cancel any you do not recognize or did not intentionally enroll in.
- Request a refund through Google Play for any fraudulent charges. Google's refund policy allows charge disputes within a defined window — open the Play Store → Payments & subscriptions → Budget & history and tap "Report a problem" on the relevant charge. For charges outside the standard refund window, contact your bank or card issuer to dispute the transactions as unauthorized.
- Remove the apps if still installed. Even if you cancelled the subscription, apps in this category have no legitimate function and should be uninstalled.
- Check your bank or card statements for recurring charges you cannot identify — fleeceware subscriptions often appear under generic or slightly obfuscated merchant names that users may not associate with the app they downloaded.
- Report the apps to Google Play using the "Flag as inappropriate" function — reporting helps trigger additional review and accelerates removal of apps that have not yet been taken down.
Background: Understanding the Risk
Fleeceware has been a documented problem on both Google Play and Apple's App Store since at least 2019, when Sophos researchers first coined the term after finding apps charging up to $214.99 per week for basic functionality available in free apps. The category persists because it exploits a fundamental asymmetry: users are accustomed to trusting apps distributed through official app stores, and play store vetting processes are optimized to detect code-level threats — trojans, spyware, and credential stealers — rather than economically fraudulent service descriptions.
The "call history lookup" category is a recurring vehicle for this type of fraud. The premise is compelling to users with legitimate concerns (parents monitoring children, individuals tracking unknown callers, or people suspicious of a partner's communications), which drives installs. The fictional nature of the service — Android fundamentally cannot provide cross-device call log access to a third-party app without carrier-level access — is not obvious to most users.
Google has made incremental progress on fleeceware detection over the years. The Play Protect system (Google's built-in Android malware scanner) now flags some subscription abuse patterns, and policy changes require apps to clearly display subscription terms before enrollment. However, the 7.3 million download count on this batch indicates that enforcement gaps remain wide enough for operators to accumulate significant financial harm before detection and removal.
From a broader mobile security perspective, users should treat subscription-based apps with heightened scrutiny. Before enrolling in any paid subscription:
- Check the app's reviews specifically for complaints about billing, cancellation difficulty, or delivered functionality not matching advertised claims
- Search for the app developer name in addition to the app name — fleeceware operators often deploy many apps under different names but the same developer account
- Verify that what the app claims to do is technically possible on Android before paying for it
Apple's App Store faces the same category of threat. Users on iOS should apply the same auditing process via Settings → Apple ID → Subscriptions.
Conclusion
The 28 fake call history apps represent a large-scale, financially motivated fraud operation that successfully exploited Play Store distribution for 7.3 million installs. If you or anyone you know downloaded a call history lookup app in the past year, check your Google Play subscriptions and bank statements now — the subscription charges may have been running for months without notice.
For any query contact us at contact@cipherssecurity.com
