The Google Play scam that promises call stories and steals millions

Cybersecurity researchers have uncovered a massive campaign of fraudulent applications on Google Play that promised, without any technical basis, to show call histories, SMS and WhatsApp records for any number in exchange for a subscription. The deception did not use invasive permissions or complex malware: a simple interface and "magic" data promise were enough to convince millions of users particularly in India and the Asia-Pacific region.

According to public research analyses, these applications provided invented information embedded in their own code and pushed the user to pay by three ways: official Google Play billing, UPI paywalkways integrated into third-party apps, or card forms within the app. The combination of a false official appearance - even publishing developers with names that imitated public institutions - and difficult collection methods to repay amplified fraud.

Beyond the direct economic impact on those who paid subscriptions that didn't deliver anything real, there is an important security lesson: the absence of sensitive permits does not guarantee that an app is safe or legitimate. Many victims trusted the official store and inflated reviews; others were attracted by network messages and WhatsApp that simulated authority. The fact that some charges were made through popular payment apps complicated access to repayments when transactions did not pass through Google Play.

This case connects with other campaigns that use social engineering and brand supplanting to steal data and money. Security signs have documented more aggressive operations that combine phishing, APKS out of store and malware capable of exfiltering information and authorizing transfers. The real risk is not just the punctual scam, but the door that opens to more sophisticated fraud and financial account theft..

If you think you could have been affected, take immediate action: remove suspicious apps, check and cancel any subscriptions from your Google Play account, check bank extracts and request reversion of charges where appropriate; for payments outside Google Play contact the payment provider (UPI, financial app, bank) and report the operation. Change passwords and activate verification in two steps on your most sensitive accounts, and monitor unusual communications that ask for data or codes.

To reduce exposure to this type of fraud, always check the developer and the reviews with criteria, mistrust promises that sound impossible (such as "call history of any number"), avoid installing apps that are not popular or verified and limit the installation of apps from outside Google Play. In corporate environments, controls such as mobile device management (MDM), policies that disable sideloading and continuous employee training are effective measures to mitigate risk.

The problem also has a regulatory and platform component: shops and payment processors should strengthen fraud detection, developer validation and reimbursement mechanisms to protect vulnerable users. While these improvements are being implemented, users need more scepticism and active protection tools, such as Google Play Protect and financial movement monitoring.

If you want to deepen the nature of these campaigns and technical recommendations, consult the analysis of security companies and the policies of the store: WeLiveSecurity (ESET) provides reports on mobile fraud and trends; and Group-IB document campaigns that combine phishing and malware for financial theft. For questions about repayments and purchases on Google Play, Google's own documentation explains procedures and user rights at its help center: Google Play Reimbursement Policy and Applications.