Fake Call History Apps Steal Payments After 7.3M Google Play Downloads

Trend Micro researchers have identified a cluster of four Android applications on the Google Play Store that masqueraded as tools to view any phone number’s call history. The apps, distributed under package names com.callerlog.pro, com.phonetracker.free, com.callspy.history, and com.smartcall.manager, claimed to provide “instant access to any call log” and were marketed with aggressive ad campaigns. According to the report published by The Hacker News, the malicious apps collectively amassed over 7.3 million downloads before Google removed them.

The applications requested an unusually broad set of permissions—including READ_CONTACTS, READ_CALL_LOG, SEND_SMS, RECEIVE_SMS, and READ_PHONE_STATE—under the guise of delivering the promised service. Behind the façade, the apps embedded a dropper component that decoded a secondary DEX payload obfuscated with Obfuscapk and protected by runtime encryption. The payload contained a command‑and‑control (C2) module that communicated with Firebase Cloud Messaging (FCM) endpoints and a private server at hxxps://callhisttrack[.]net. Once active, the malware harvested contact lists, call records, and device identifiers, then silently subscribed victims to premium SMS services, resulting in unauthorized charges of $5‑$15 per transaction. The same component also captured credit‑card details entered in the app’s “premium unlock” screen, exfiltrating them via an encrypted HTTPS POST to the C2 server.

Trend Micro’s telemetry recorded more than 2.1 million unique devices that received the malicious payload, with over 180,000 users inadvertently authorizing premium SMS subscriptions. The financial impact is estimated at several million dollars in fraudulent charges, while the exposed personal data—including full call histories and partial payment information—poses a significant privacy risk. Google confirmed that the apps violated Play Store policies and removed them on 2026‑01‑12 after being notified, but the apps had already been live for several months, allowing the threat actors to monetize the scheme at scale.

Security analysts recommend that Android users immediately audit installed applications, revoke any unnecessary permissions (especially READ_CALL_LOG and SEND_SMS), and enable Google Play Protect for real‑time scanning. Organizations should deploy mobile threat‑defense solutions capable of detecting anomalous permission requests and network traffic to known malicious domains. Indicators of compromise (IOCs) such as the package names listed above, the FCM project ID “call‑hist‑fcm‑prod”, and the C2 domain callhisttrack[.]net should be added to firewall and EDR blocklists. Staying vigilant about overly permissive apps and keeping devices up to date are critical steps to mitigate similar supply‑chain threats.