Advertising Disclosure: Some links on this site are affiliate links. We may earn a commission when you make a purchase — at no extra cost to you. read our methodology

Fake Call History Apps on Play Store Stole Payments From 7.3M Users: Protection Guide

A cluster of 28 apps masqueraded as phone-lookup tools, collected millions of installs, and pushed users into fake-data subscriptions. Here is how to respond.

By

Published · Updated

Hot radar note: The Hacker News reported on May 8, 2026 that 28 fake call history apps on the Google Play Store collected over 7.3 million downloads and funneled users into paid subscriptions that returned fake or empty data. This is an A-level consumer scam with massive install base.

What happened

Security researchers disclosed that 28 Android apps published on the official Google Play Store falsely claimed to offer access to call histories for any phone number. Instead of delivering on that promise, they funneled users into a paid subscription flow and then showed fabricated data that made the service appear to work long enough to complete the transaction. The apps together collected more than 7.3 million downloads, with a single app accounting for a disproportionate share of that total.

The play style is classic fleeceware: the apps are not traditional malware that exfiltrates data or takes over the device. They exploit the normal subscription plumbing on the Play Store, combined with misleading marketing that promises capabilities no ordinary app can actually deliver. Accessing another person's call history requires carrier-level access, a lawful request, or device-level installation with consent. Any consumer app that claims to hand that information to a stranger is either lying, scraping public data, or pushing you into a charge you did not really want.

Why this matters beyond one scam campaign

Fleeceware-style subscription scams are steadily becoming the dominant consumer harm on mobile app stores. They slip past automated review because they do not technically contain malware, they monetize through legitimate billing channels, and they collect just enough positive reviews to reach high visibility before complaints catch up. A single campaign with 7.3 million downloads is not an outlier; it is a reminder that the most dangerous app in your phone is often the one that was designed to drain your wallet quietly rather than encrypt your files loudly.

For everyday users, that shifts the risk profile. Traditional antivirus focuses on malicious code. Modern mobile threats also include permission abuse, fleeceware subscriptions, shady privacy practices, and push-notification spam that drives users into phishing or other scam flows. A good mobile security stack needs to address all of these.

Immediate action checklist for Android users

  • Open the Play Store, tap your profile icon, and go to Manage apps & devices to review what is installed.
  • Uninstall any phone-lookup, caller-ID, call-history, or spy app you do not actively use, especially those with generic names.
  • Go to Payments & subscriptions and cancel any subscription you do not recognize; removing the app alone does not cancel billing.
  • Request a refund for recent scam charges through the Play Store; Google often issues partial refunds when fraud is documented.
  • Revoke sensitive permissions: check which apps have access to your contacts, call logs, SMS, and microphone, and remove anything unjustified.
  • Change your Google account password if you used it to authorize the suspicious app, and enable 2-Step Verification.
  • Install a reputable mobile security app that flags fleeceware, risky permissions, and phishing sites.
  • Watch your bank or card statement for the next two billing cycles and dispute unknown app charges.

How to spot the next fake app before you install it

Most scam apps share a handful of telltale signals. They promise something that only a telecom carrier or law enforcement could actually deliver. They require a subscription before showing any functionality at all. Their privacy policy is a thin, copy-paste document hosted on a generic domain. Their developer has a short history with multiple similarly styled apps. Reviews cluster around two extremes: suspiciously enthusiastic five-star ratings and angry one-star refund complaints. Screenshots look polished, but the feature set is impossibly broad for a single free-to-install app.

When in doubt, search the app name with keywords like "refund," "fake," "scam," or "fleeceware." Check the developer's other apps. Look up the company name outside the Play Store. If you still want to try the app, install it, do not sign in with Google yet, and see whether it tries to paywall you before delivering any real value. If the first screen after opening asks for your payment details without giving you a clear sample of the service, walk away.

Why Play Protect is not enough on its own

Google Play Protect is a good baseline and has improved steadily, but it struggles with scams that ride legitimate billing rails. Fleeceware is often approved for distribution because it is technically compliant and only crosses the line through deceptive marketing or data claims. Third-party mobile security products add layers: scanning for privacy red flags, blocking phishing links that these apps often embed, filtering SMS scams, and flagging permissions that a call-history app has no business requesting.

Pair that with a password manager to keep Google account credentials unique and strong, plus identity monitoring to watch for downstream misuse if your email or billing details end up in a breach after scam revenue funds more aggressive data collection.

Recommended protection stack

Bitdefender Mobile Security 4.7/5

Best for: Android scam and phishing protection · Price: From about $14.99/year

Pros
  • Strong web attack and scam detection
  • App risk scanning with privacy flags
  • Low battery impact
Cons
  • Some features gated behind premium plans
  • VPN traffic is limited on basic tier

Norton 360 Mobile 4.6/5

Best for: households that want antivirus plus VPN on mobile · Price: From about $49.99/year

Pros
  • Malware and scam app scanning
  • Bundled VPN and Dark Web Monitoring
  • SMS spam filtering on supported regions
Cons
  • Busy upsell flows
  • Best features require higher-tier plans

Malwarebytes Mobile Security 4.4/5

Best for: cleanup after suspected scam app installs · Price: From about $39.99/year

Pros
  • Strong remediation reputation
  • Web protection and ad blocking
  • Simple interface
Cons
  • Fewer extras than full suites
  • Limited family controls

1Password 4.8/5

Best for: protecting your Google account after scam app sign-ins · Price: From about $2.99/month

Pros
  • Strong password generation and breach alerts
  • Watchtower monitors reused credentials
  • Autofill works across Android apps
Cons
  • No free tier
  • Advanced features need paid plan

Aura 4.6/5

Best for: identity and financial monitoring after scam charges · Price: From about $12/month billed annually

Pros
  • SSN, credit, and dark web monitoring
  • Bundles VPN, antivirus, and password tools
  • Identity restoration support
Cons
  • More expensive than single-purpose tools
  • Credit lock coverage varies

Comparison table

ProductRatingBest forPriceKey strengths
Bitdefender Mobile Security4.7/5Android scam and phishing protectionFrom about $14.99/yearScam detection; privacy flags
Norton 360 Mobile4.6/5Households with antivirus plus VPNFrom about $49.99/yearMalware scanning; VPN and monitoring
Malwarebytes Mobile4.4/5Post-scam cleanupFrom about $39.99/yearRemediation; ad blocking
1Password4.8/5Google account protectionFrom about $2.99/monthBreach alerts; strong autofill
Aura4.6/5Identity and financial monitoringFrom about $12/monthCredit and dark web monitoring; restoration

Frequently asked questions

What did the fake call history apps on the Play Store do?

They claimed to show call histories for any phone number. Instead, they pushed users into paid subscriptions and then returned fake or empty data, producing a financial loss while delivering none of the promised service.

How many people were affected?

Researchers reported that 28 apps together collected more than 7.3 million downloads, with a single app accounting for a significant share. Not every download equals a scammed user, but the scale is large enough that Android users worldwide should check their devices.

How do I tell if an Android app is a subscription scam?

Watch for apps that promise restricted data for any phone number, require a subscription before showing anything, use thin privacy policies, have short publisher histories, and push recurring charges during onboarding. Reviews that focus on refunds and fake results are another red flag.

How do I cancel a fake app's subscription?

Open the Google Play Store app, tap your profile icon, go to Payments & subscriptions, then Subscriptions, and cancel any app you do not recognize. Request a refund from Google Play if the subscription is recent. Removing the app alone does not cancel the subscription.

Do I need antivirus on Android?

Mobile antivirus adds useful layers, including app scanning, web protection, identity monitoring, and VPN access. Google Play Protect is a good baseline but scam apps with policy-violating business models regularly slip past it.

Bottom line

Fleeceware is the modern face of mobile scams: no dramatic malware, just quiet subscriptions that drain cards over months. Uninstall apps you do not use, audit Google Play subscriptions today, dispute unknown charges, and layer mobile antivirus, a password manager, and identity monitoring over Play Protect. The next 7-million-download scam is already being built; your safety comes from habits that catch it in the first minute, not the first month.