7.3M Downloads: Analyzing the 'Fake Call History' Fleeceware Operation

We often focus on sophisticated zero-days, but sometimes the most impactful threats are the simplest financial scams. Just read the latest report on the 28 fraudulent apps on the Play Store claiming to reveal call histories.

Technically, this falls under Fleeceware. These apps don't necessarily steal credentials (like a banking trojan), but they abuse the BillingClient API to trap users in high-cost subscriptions for non-functional services. With 7.3 million downloads, the scale is significant.

From a detection standpoint, these apps are tricky. They often pass Google Play Protect's static checks because the malicious behavior (charging money) is technically a "feature." However, the payload is often just hardcoded JSON data or a simple WebView loader.

For those managing MDMs or monitoring mobile fleet traffic, I suggest monitoring for specific telemetry patterns. If you have ingestion of mobile billing events or high-cost app interactions, look for multiple subscription activations within a short window from the same device ID.

Here is a basic KQL query to hunt for potential fleeceware behaviors if you are ingesting mobile logs into Sentinel:

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType contains "Subscription" or ActionType contains "Billing"
| extend AppName = tostring(Fields["AppName"])
| extend Price = todecimal(Fields["Price"])
| where Price > 10 // Flagging unusually expensive subscriptions
| summarize EventCount=count(), MaxPrice=max(Price) by AppName, DeviceId
| where EventCount > 2 // Frequent trials/renewals
| project DeviceId, AppName, MaxPrice, EventCount

How are you all handling mobile app vetting for BYOD environments? Is the official store vetting process failing us, or is user education the only real defense here against these "legal" scams?