Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

Key Points:

• Cybersecurity firm ESET uncovered 28 fraudulent Android apps on Google Play Store, falsely claiming to provide call history and SMS data for any phone number, but instead tricking users into paid subscriptions that deliver fake data and cause financial loss.
• These apps, downloaded over 7.3 million times primarily in India and the Asia-Pacific region, used deceptive tactics including impersonating the Indian government and sending fake notifications to coerce payments ranging from $6 to $80.
• Payments were processed via Google Play subscriptions or third-party UPI apps like Google Pay and PhonePe, with some violating Google’s policies; only purchases through Google Play billing may be eligible for refunds.
• The apps did not request sensitive permissions nor had any real functionality to retrieve call or message data, instead generating fabricated information embedded in the source code.
• Separately, Group-IB reported a related fraud campaign in Indonesia involving phishing, malicious APKs, and social engineering to steal $2 million by impersonating trusted brands, highlighting a broader trend of sophisticated mobile scams targeting large populations.