Early Stage Voice Phishing Detection with Runtime Permission Request: A Review

Abstract

Voice phishing (vishing) has emerged as one of the most damaging cyber threats targeting Android users globally, combining social engineering with specialized malware that exploits the device telephony stack. This paper reviews existing detection strategies for voice phishing malware on Android platforms and presents the design rationale, architecture, and preliminary results of VishielDroid — a machine learning-based Android application that monitors both install-time and runtime permission request patterns to detect vishing malware before malicious operations are executed. Drawing on analysis of 613 vishing malware samples and 1,248 benign applications (2021–2023), point-biserial correlation identified 98 statistically significant permission features. A Support Vector Machine (SVM) classifier achieves 99.86% accuracy, 100% precision, and 99.78% F1-score on unseen 2023 test samples. The system operates without root access or OS modifications, making it suitable for wide-scale deployment on standard consumer Android devices.

Introduction

This paper examines the growing threat of voice phishing (vishing) on Android devices and proposes VishielDroid, an early-stage malware detection system designed to identify vishing applications before they perform malicious actions. Since Android holds more than 70% of the global mobile operating system market, it has become a major target for cybercriminals who use malicious apps to intercept calls, spoof caller IDs, redirect communications, record conversations, and steal sensitive financial information.

Background and Literature Review

Evolution of Phishing and Vishing

• Phishing evolved from email-based scams to SMS phishing (smishing) and voice phishing (vishing).
• Caller ID spoofing and telephony impersonation have proven highly effective in deceiving users.
• Modern attacks often combine SMS messages with malicious APK downloads, creating multi-stage attacks that bridge smishing and vishing.

Android Permission Model

• Since Android 6.0, sensitive permissions are requested at runtime rather than installation.
• Attackers exploit this model by using social engineering techniques to convince users to grant dangerous permissions after installation.
• Permission-based malware classification has shown strong detection performance in previous studies.

Existing Malware Detection Approaches

• Static analysis examines permissions and code before execution but can be bypassed through code obfuscation.
• Dynamic analysis monitors runtime behavior and can detect attacks more accurately but often identifies threats only after malicious activity begins.
• Existing systems such as MalScan, MaMaDroid, and HearMeOut face challenges related to computational cost, deployment complexity, or delayed detection.

Research Gaps

The study identifies five major shortcomings in existing solutions:

1. Lack of early-stage detection before attacks begin.
2. Limited use of runtime permission request patterns as primary detection features.
3. Few solutions designed specifically for vishing malware.
4. Poor deployability due to operating-system modifications or computational requirements.
5. Absence of a lightweight system combining both install-time and runtime permissions.

Proposed System: VishielDroid

Objective

VishielDroid aims to detect vishing malware during the privilege escalation phase, after installation but before malicious telephony operations occur.

Three-Phase Attack Model

1. Malware installation through malicious links or unofficial app stores.
2. Privilege escalation via dangerous runtime permission requests.
3. Execution of malicious actions such as call interception, redirection, and caller ID spoofing.

VishielDroid focuses on detecting threats during Phase 2, preventing damage before malicious actions are performed.

System Architecture

The system contains four modules:

1. Permission Monitoring Module (PMM) – Tracks app installations and runtime permission requests.
2. Feature Extraction Module (FEM) – Converts permissions into binary feature vectors.
3. Classification Module (CM) – Uses a pre-trained linear Support Vector Machine (SVM) classifier.
4. User Interface and Alert Module (UIAM) – Warns users and provides malware removal options.

Feature Engineering and Machine Learning

• Analysis of 613 vishing samples and 1,248 benign applications identified 98 significant permission-based features.
• Features include:
  • 60 installation-time permissions.
  • 38 runtime permissions.
• Highly correlated permissions include:
  • WRITECALLLOG
  • PROCESSOUTGOINGCALLS
  • READSMS
  • READCALLLOG
  • WRITECONTACTS

The detection model:

• Uses a linear SVM classifier trained offline.
• Is deployed on Android using ONNX Runtime.
• Has a model size of only 2.93 KB.
• Performs classification in less than 1 millisecond.
• Uses less than 40 MB of memory.
• Consumes less than 2% battery per day.

Performance Evaluation

When tested on previously unseen 2023 samples, VishielDroid achieved:

Key findings:

• Outperformed comparable systems by approximately 19.5 percentage points in F1-score.
• Maintained excellent performance even when benign applications greatly outnumbered malicious ones.
• Demonstrated strong real-world applicability due to its lightweight design and low resource consumption.

Conclusion

This paper traced the evolution of voice phishing threats and discussed current approaches for detecting Android malware, exposing a need for detection before harmful actions are carried out, runtime behavioral analysis, and easy-to-deploy solutions. VishielDroid meets this need by utilizing a hybrid permission analysis-a combination of install time declarations and runtime request patterns-with a light-weight, offline, rooted or unrooted SVM toclassify requests. VishielDroid\'s second phase strategy generates proactive alerts to phone call-related activity before any malicious calls can occur, which is a qualitative improvement over previously existing reactivesolutions such as HearMeOut. With its extremely light weight size(2.93KB model, <1ms delay, <2% battery usage per day), it is capable of being deployed to mass consumer devices running Android versions 8.1 to 12. Future work is expected to look into using LSTM\'s for temporal sequences, fusing additional multi-modal features such as API call patterns and network activity, federated learning to provide model updates in a private way, and adding detections for related types of malware, such as banking Trojans and spy ware.

References

[1] Kim, J., Kim, J., Wi, S., Kim, Y., & Son, S. (2022). HearMeOut: Detecting voice phishing activities in Android. In Proceedings of the 20th Annual International Conference on Mobile Systems, Applications and Services (pp. 289–301). [2] Lee, C., Kim, B., & Kim, H. (2025). The silence of the phishers: Early-stage voice phishing detection with runtime permission requests. Computers & Security, 152, 104364. [3] Song, J., Kim, H., & Gkelias, A. (2014). iVisher: Real-time detection of caller ID spoofing. ETRI Journal, 36(5), 865–875. [4] Sahin, M., Francillon, A., Gupta, P., & Ahamad, M. (2017). SoK: Fraud in telephony networks. In Proceedings of the 2nd European Symposium on Security and Privacy (pp. 235–250). [5] Wu, Y., Li, X., Zou, D., Yang, W., Zhang, X., & Jin, H. (2019). MalScan: Fast market-wide mobile malware scanning by social-network centrality analysis. In Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (pp. 139–150). [6] Li, H., Zhou, S., Yuan, W., Luo, X., Gao, C., & Chen, S. (2021). Robust Android malware detection against adversarial example attacks. In Proceedings of the 30th International Conference on World Wide Web (pp. 3603–3612). [7] Singh, A., Tanha, M., Girdhar, Y., & Hunter, A. (2024). Interpretable Android malware detection based on dynamic analysis. In Proceedings of the 10th International Conference on Information Systems Security and Privacy. [8] Li, J., Sun, L., Yan, Q., Li, Z., Srisa-An, W., & Ye, H. (2018). Significant permission identification for machine-learning-based Android malware detection. IEEE Transactions on Industrial Informatics, 14(7), 3216–3225. [9] Onwuzurike, L., Mariconti, E., Andriotis, P., Cristofaro, E. D., Ross, G., & Stringhini, G. (2019). MaMaDroid: Detecting Android malware by building Markov chains of behavioral models (Extended version). ACM Transactions on Privacy and Security, 22(2), 1–34. [10] Kouliaridis, V., Kambourakis, G., & Peng, T. (2020). Feature importance in Android malware detection. In Proceedings of the 19th International Conference on Trust, Security and Privacy in Computing and Communications. [11] Nahapetyan, A., Prasad, S., Childs, K., Oest, A., Ladwig, Y., Kapravelos, A., & Reaves, B. (2024). On SMS phishing tactics and infrastructure. In Proceedings of the 45th IEEE Symposium on Security and Privacy. [12] Android Developers. (2024). Android 6.0 changes. Retrieved from https://developer.android.com/about/versions/marshmallow/android-6.0-changes

Copyright

Copyright © 2026 Ms. Aayushi Pardeshi, Ms. Rucha R. Galgali. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.