A sophisticated "fleeceware" campaign has infiltrated the official Google Play Store, resulting in over 7.3 million downloads of fraudulent applications. These 28 apps, masquerading as "Call History" trackers, lure victims with the promise of accessing private call logs for any phone number—a technical impossibility for third-party apps due to Android's privacy sandbox.
Once installed, the applications do not deliver the advertised service. Instead, they employ social engineering and aggressive UI tactics to trick users into subscribing to expensive services, often exceeding $50 per month, while delivering no real value. This campaign highlights a critical shift in mobile threats: attackers are no longer just stealing data; they are abusing the subscription billing ecosystem to monetize frictionless payments directly from users.
For SOC analysts and mobile security engineers, this represents a detection challenge. These apps often pass initial Google Play Protect scans and do not rely on traditional exploitation chains or exploits. Instead, they abuse legitimate APIs (Billing and Contacts) to commit fraud. Defenders need to pivot from looking for "malware" signatures to hunting for abusive permission usage and anomalous billing behaviors within their mobile fleet.
Technical Analysis
- Affected Platform: Android (Google Play Store)
- Threat Type: Fleeceware / Subscription Fraud
- Application Count: 28 distinct applications
- Total Downloads: >7,300,000
- Attack Vector: Social Engineering (Trojanized Utility Apps)
Mechanism of Action:
- Infiltration: Threat actors publish apps claiming to offer "Call History" recovery or tracking capabilities.
- Lure: Upon launch, the app prompts the user to enter a target phone number.
- Hook: The app simulates a "searching" or "connecting" process to establish credibility.
- Monetization: Before displaying results, the app triggers a subscription paywall. Users are often charged immediately upon clicking "Continue" or "Reveal," despite unclear terms.
- Payload: The app displays static, fake data to satisfy the user momentarily, ensuring the charge clears before the user realizes the scam.
Permissions and Abuse:
To maintain a facade of legitimacy, these apps often request high-risk permissions such as READ_CALL_LOG, READ_CONTACTS, and READ_SMS. While the app does not technically function as advertised, the request for these permissions serves to convince the user (and automated store analysis) that the app has a functional purpose.
Detection & Response
The following detection logic focuses on identifying applications that request the specific READ_CALL_LOG permission—a strong indicator for this specific threat class—and observing their installation or execution within an enterprise environment (e.g., via Microsoft Defender for Endpoint or MDM logs).
SIGMA Rules
---
title: Potential Fake Call History App Installation
id: 8a4b2c1d-9e6f-4a3b-8c7d-1e2f3a4b5c6d
status: experimental
description: Detects the installation of Android applications requesting READ_CALL_LOG permission, a hallmark of the fleeceware Call History campaign.
references:
- https://thehackernews.com/2026/05/fake-call-history-apps-stole-payments.html
author: Security Arsenal
date: 2026/05/15
tags:
- attack.impact
- attack.t1566.001
logsource:
product: android
detection:
selection:
EventType: 'package_added'
requested_permissions|contains:
- 'android.permission.READ_CALL_LOG'
- 'android.permission.READ_CONTACTS'
filter:
PackageName|contains:
- 'com.android'
- 'com.google'
- 'com.whatsapp'
- 'com.facebook'
condition: selection and not filter
falsepositives:
- Legitimate dialer or backup applications approved by the enterprise.
level: high
---
title: High Frequency Subscription Billing Anomaly
id: 3c1d2e4f-5a6b-7c8d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects repeated interactions with the Billing API from short-lived or low-trust applications, common in fleeceware operations.
references:
- https://thehackernews.com/2026/05/fake-call-history-apps-stole-payments.html
author: Security Arsenal
date: 2026/05/15
tags:
- attack.impact
logsource:
product: android
detection:
selection:
EventType|contains: 'billing'
Action|contains: 'purchase'
timeframe: 1h
condition: selection | count() > 5
falsepositives:
- Legitimate high-volume usage of subscription services.
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for Android apps requesting sensitive Call Log permissions
DeviceEvents
| where ActionType has "AppInstalled"
| extend Fields = parse_(AdditionalFields)
| mv-expand Fields
| where Fields.Name == "RequestedPermissions"
| where Fields.Value contains "android.permission.READ_CALL_LOG"
| project Timestamp, DeviceName, AccountName, FolderPath, FileName, Fields.Value
| summarize by Timestamp, DeviceName, FileName
| order by Timestamp desc
Velociraptor VQL
-- Hunt for installed Android packages requesting Call Log permissions
SELECT PackageName, VersionName, RequestedPermissions, UID
FROM android_packages()
WHERE RequestedPermissions =~ "android.permission.READ_CALL_LOG"
AND PackageName NOT IN ("com.android.phone", "com.android.contacts", "com.samsung.android.dialer")
Remediation Script
The following Bash script utilizes ADB (Android Debug Bridge) to audit connected devices for applications holding the READ_CALL_LOG permission, allowing incident responders to identify potential threats on corporate-owned devices.
#!/bin/bash
# Audit Android devices for Fake Call History / Fleeceware indicators
# Requires ADB installed and 'USB Debugging' enabled on target devices
echo "[+] Auditing connected devices for high-risk Call Log permissions..."
# Get list of connected devices
device_list=$(adb devices | grep -w "device" | awk '{print $1}')
if [ -z "$device_list" ]; then
echo "[-] No devices found. Ensure USB Debugging is enabled."
exit 1
fi
for device in $device_list; do
echo "\n[+] Checking Device: $device"
# Dump package list and permissions
adb -s $device shell pm list packages -f | while read -r line; do
pkg=$(echo "$line" | cut -d= -f2)
# Check for READ_CALL_LOG permission (excluding core system dialers)
perms=$(adb -s $device shell "dumpsys package $pkg" | grep "requested permissions" | head -1)
if echo "$perms" | grep -q "android.permission.READ_CALL_LOG"; then
# Check if it's a known system dialer (optional exclusion)
is_system=$(adb -s $device shell "dumpsys package $pkg" | grep "flags=" | grep -q "SYSTEM" && echo "YES" || echo "NO")
# Flag non-system apps or unknown packages
if [[ "$pkg" != com.android.* && "$pkg" != com.samsung.* ]]; then
echo "[!] SUSPICIOUS APP FOUND: $pkg"
echo " - Permissions: $perms"
fi
fi
done
done
echo "\n[+] Audit complete. Investigate flagged packages immediately."
Remediation
- Immediate App Removal: Organizations should immediately uninstall the identified 28 applications. Google Play Protect will likely update to flag these, but manual removal is recommended for BYOD devices.
- Cancel Subscriptions: Users must check their Google Play Subscriptions menu (
Settings > Google > Manage your Google Account > Payments & subscriptions) and cancel any active subscriptions linked to "Call History" or unknown developers. - Google Play Policy Enforcement: For MDM (Mobile Device Management) administrators, push a "Blocklist" policy preventing the installation of apps with the
READ_CALL_LOGpermission unless explicitly whitelisted. - User Awareness: Issue a security advisory to the workforce warning against applications promising access to private data (like call histories or SMS) for other numbers, as these are universally scams.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.