Google Rolls Out Android Fake Call Detection for AI Voice-Cloning Scams
Google is launching fake call detection on Android to help stop scam calls that use caller ID spoofing and AI voice cloning to impersonate trusted contacts. The feature is rolling out globally this month for devices running Android 12 and later, starting with Pixel phones, and works through Phone by Google with supported RCS services. It is designed to warn users when a caller claims to be someone in their contacts but the call cannot be verified as coming from that person’s device.
The protection uses a silent background verification process in which the caller’s phone sends an encrypted confirmation signal during the call. If that signal is missing, the recipient’s device checks whether the real contact’s phone is actually placing the call and displays an impersonation warning if not. Google said the feature is enabled by default where supported, though users can turn it off in settings, and framed the rollout as a response to growing impersonation fraud that has expanded from consumer scams into business-focused social engineering and caused billions in reported losses.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Global rollout of fake call detection begins with Pixel devices
Google said the fake call detection capability will roll out globally this month for Android 12 and later devices, starting with Pixel phones. The protection works when both parties use Phone by Google and compatible RCS-based verification is available.
Google introduces Android fake call detection feature
Google announced a new Android security feature called fake call detection to identify impersonation scam calls using caller ID spoofing and AI voice cloning. The feature uses a silent encrypted verification process between devices and is enabled by default when supported Google apps and RCS are in use.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Google rolls out scam call detection for Android | brief | SC Media
scworld.com
Open sourceGoogle adds Android protection against AI deepfake scam calls
bleepingcomputer.com
Open sourceGoogle adds a silent check to catch scammers posing as your contacts - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CallPhantom Google Play Apps Used Fake Call Records to Defraud Millions
ESET uncovered a large Android fraud campaign, tracked as **CallPhantom**, that used 28 apps on Google Play to falsely promise access to call histories, SMS records, and WhatsApp call logs for arbitrary phone numbers. The apps were downloaded more than **7.3 million** times, primarily by users in **India** and the wider **Asia-Pacific** region, before Google removed them after disclosure in December 2025. Instead of providing real communications data, the apps generated fabricated records from hardcoded values and displayed deceptive previews to convince users the service worked. The operation monetized victims through multiple payment channels, including **Google Play billing**, third-party **UPI** payment flows, and embedded card-entry forms, with the latter methods violating Google Play policy and making refunds harder to obtain. Researchers said some apps also used fake notifications to drive users back into subscription prompts, while backend infrastructure relied on **Firebase Cloud Messaging** for command-and-control and Firebase databases to manage some payment details. Published reporting also included indicators of compromise such as app **SHA-1 hashes**, Firebase domains, and related IP addresses tied to the campaign.
May 11, 2026
Google Expands Android Theft Protection With Stronger Authentication and Identity Check
Google announced updated **Android Theft Protection** capabilities aimed at reducing account takeover and financial fraud risks following device theft, with availability starting on devices running **Android 16+**. The updates strengthen authentication safeguards by making **screen lock guessing** harder (longer lockout periods after repeated failed PIN/pattern/password attempts) and by improving controls around lock behavior after excessive failed authentications, including a dedicated settings toggle for *Failed Authentication Lock*. Google also expanded **Identity Check**—which requires biometric authentication for sensitive actions when the device is outside trusted places—to cover a broader set of actions and apps that use the **Android Biometric Prompt**, including third-party banking apps and **Google Password Manager**. In parallel, Android’s *Remote Lock* capabilities were highlighted as part of the theft-response toolset, giving users more control to lock a lost or stolen device and limit further misuse.
Mar 21, 2026
Microsoft Teams Adds Brand Impersonation Warnings for VoIP Calls
Microsoft is rolling out **Brand Impersonation Protection** for *Microsoft Teams Calling* to warn users about potentially fraudulent external VoIP callers attempting to impersonate trusted organizations. The feature evaluates **first-contact external calls** for impersonation risk signals and, when a call is deemed high-risk, displays warnings before the user answers; warnings can also persist during the call if suspicious indicators remain. Users can then choose to **accept, block, or end** the call to reduce exposure to social engineering and **vishing** attempts. Deployment is expected to begin in the **Targeted Release** ring in **mid-February 2026** and will be **enabled by default** for Teams Calling tenants, with broader availability timing to be communicated later. Microsoft indicates no administrative changes are required to enable the capability, but recommends preparing helpdesk/support teams for user questions and updating internal awareness/training materials to reflect the new high-risk call alerts; support is noted for **Windows desktop and macOS** clients.
Mar 21, 2026