An Android stalking app scam has exposed a critical vulnerability in Google Play Store’s review process, with researchers confirming that 28 malicious applications deceived over 7.3 million users worldwide into paying for fabricated call records and SMS histories. The apps promised access to any phone number’s communications data—a feature that never existed. Instead, users received randomly generated fake data after paying between $5 and $80 for weekly, monthly, or yearly subscriptions.
Key Takeaways
- 28 malicious apps on Google Play Store scammed 7.3 million users globally, primarily in India and Asia-Pacific regions.
- Apps used hardcoded fake data with no actual access to real communications or permissions to request them.
- Subscriptions ranged from $5 to $80 with no refund options through Google; users must contact payment providers directly.
- Two scam models: partial fake results requiring payment for “full” data, or address submission followed by fake notifications.
- Apps preselected India’s +91 country code and integrated UPI payments, targeting regional users specifically.
How the Android Stalking App Scam Actually Worked
The scam relied on a simple yet effective tactic: advertising access to call histories, SMS records, and call logs for any phone number provided by the user. What made this particularly insidious was that the apps contained zero actual code or permissions to access real communications data. Instead, they used hardcoded lists of fake names, country codes, timestamps, and call durations to generate fabricated results on demand.
Researchers identified two distinct operational models. The first cluster showed users partial fake results immediately, then prompted payment for the supposedly “full” dataset. The second cluster required users to submit their address, followed by fake notifications claiming a report was ready for download. Both models exploited user curiosity and the plausibility of accessing another person’s communications—a feature that would require extraordinary permissions no legitimate app could obtain.
Many apps preselected India’s +91 country code and integrated the Unified Payments Interface (UPI) for transactions, indicating deliberate targeting of Indian and Asia-Pacific users. Google Play reviewers who tested the apps reported paying for the service but receiving only random fake data with no option to request refunds through the platform.
Why Google Play Let This Through
The discovery highlights ongoing weaknesses in how Google vets applications before they reach the Play Store. These 28 apps accumulated 7.3 million downloads before detection, suggesting that either automated scanning failed to flag the scam mechanics or manual review processes did not catch the fraudulent behavior during the approval phase. The apps were eventually removed, but only after the damage was done.
The lack of refund mechanisms compounds the problem. When users discovered they had been scammed, they could not retrieve their money through Google. Instead, they had to contact UPI providers, credit card issuers, or the developers directly—a process that rarely succeeds when the developer is operating a deliberate fraud scheme. This puts the burden of financial recovery entirely on victims rather than on the platform that distributed the malicious software.
What Victims Should Know About Android Stalking App Scam Recovery
If you downloaded one of these apps and paid for a subscription, your first step should be contacting your payment provider—either your UPI account, credit card issuer, or bank. Document the transaction, the app name, and the date of purchase. Request a chargeback or dispute, which has a higher success rate than asking the developer for a refund directly.
Google does not handle refunds for these scams through the Play Store. The company’s policy treats developer disputes as private matters between the user and the app creator. For future protection, enable Google Play Protect (the built-in security scanner), review app permissions before installation, and be skeptical of any app claiming to access another person’s private communications without their explicit consent and technical infrastructure to support it.
Is the Android stalking app scam still a threat?
The 28 identified apps have been removed from Google Play Store, but new variants could appear. The scam model is simple enough to replicate, and the profit motive is clear—millions of users were willing to pay before discovering the fraud. Stay alert for similar apps with identical promises and verify any app’s permissions before installation.
How can I get a refund for the Android stalking app scam?
Contact your payment provider directly: your bank, credit card company, or UPI service. Request a chargeback or dispute for fraudulent charges. Keep transaction records and the app name as evidence. Google does not process refunds for scam apps; your payment provider is your only recourse.
Why does Google Play allow these apps?
Google’s review process relies on both automated scanning and manual inspection, but determined scammers can evade detection by using hardcoded fake data rather than requesting suspicious permissions. The volume of apps submitted daily makes comprehensive testing difficult. This incident underscores the need for stricter vetting of apps that make extraordinary privacy claims.
The Android stalking app scam is a reminder that even major platforms like Google Play can distribute malicious software at scale. The 7.3 million victims lost money to an app that never delivered on its promise, and recovery remains difficult because refunds are not handled by the platform itself. Download apps only from trusted developers, scrutinize permission requests, and report suspicious apps to Google immediately.
This article was written with AI assistance and editorially reviewed.
Source: Tom's Guide
