Overview
- ESET disclosed a cluster of 28 Android apps on Google Play that lured users with promises of call, SMS, and WhatsApp histories and Google removed them after they reached more than 7.3 million downloads.
- The apps charged users to unlock results yet returned hard‑coded, fake names and numbers, and they never had the ability to access any real call or message data or required sensitive permissions.
- Payments flowed through Google Play subscriptions or off‑platform routes using India’s UPI apps such as Google Pay, PhonePe, and Paytm, plus in‑app card forms that break Play rules, which left many victims outside Google’s refund process.
- Operators used simple but deceptive tricks such as asking for an email to ‘send’ the history, pushing false notifications to drive payments, and even impersonating a government publisher with the name “Indian gov.in.”
- ESET says the activity mainly hit users in India and the wider Asia‑Pacific, and Group‑IB’s separate reporting on Indonesia details a broader fraud ecosystem that uses WhatsApp lures, phishing sites, and Android malware like Gigabud RAT, MMRat, and Taotie to steal money.