I’ve been covering spam calling for years, so when Google offered me details about a new Android feature built to detect and flag spoofed calls, I was ready to hear more. What I didn’t expect from the demo was to hear my own voice.
“I’m so excited to be interviewing you today about this new fake call detection feature!” I heard myself saying while a headshot I’ve used publicly for years popped up on the demo device. The caller ID name said “Lily.” “Unfortunately, I lost my wallet and I’m stuck. Any chance you can Venmo me so I can take an Uber to the interview?”
As my disembodied voice calmly made the ask, a pop up appeared as an overlay on the regular call screen: “This may not be Lily. Someone may be pretending to call from your contact’s number.”
For Android phones calling each other, the new feature does a digital validity check and flags with a pop-up warning if a call isn’t coming from your contact’s smartphone and may be a scam. When the feature flags a call as a scam, it instantly removes the contact photo from the backdrop of the call to underscore the seriousness of the situation (not shown in the prototype demo Google made for WIRED). And the feature also changes the entry in Android’s recent call log to say “Unknown caller” instead of displaying the contact name.
Spam calls have been a scourge for decades, and the threat has only ramped up as attackers have started incorporating AI voice-cloning tools into their attacks—making it possible to convincingly mimic an acquaintance of a victim, or even a family member, in real-time. And while a years-long push has improved detection of traditional robocalling, it hasn’t eliminated the problem, and not all spam calls get flagged. Those calls that still slip through the cracks are particularly problematic as attackers focus their attention on impersonation scams—making it look like their call is coming from a number you trust, or at least recognize, and then using AI tools to sound like the person you expect when you pick up.
With these types of invasive and potentially devastating scams on the rise, Dave Kleidermacher, Android’s vice president of security and privacy, and Eugene Liderman, director of Android security and privacy product, say that there was a real desire within Google to move defenses for victims forward. And they emphasized that while an obvious strategy is to attempt to fight fire with fire—to use AI tools to help detect voice clones in calls—this strategy alone is insufficient. It can have false positives and false negatives, but it can also feed an endless arms race between attackers and defenders.
“We’re always looking at whether there is a provable way, something much higher confidence that we can do,” Kleidermacher says.
The feature is built on the RCS communication standard and baked into the Google Dialer. Beginning today, it will start rolling out in updates for all Android phones running Android 12 (from 2021) and later. The mechanism uses RCS to digitally bind your phone number with your actual smartphone handset. When you call another Android user, your device will send what Kleidermacher describes as “a real-time, silent background confirmation signal” to the device of the person you’re calling to verify the legitimacy of your call. If that hardware-based confirmation is missing, the Google Dialer will flag the call.
“If you’re calling me and we’re in each others’ mutual contacts databases, and we’re both using the Google dialer that has this capability built into it, then I will always know if it’s really you,” Kleidermacher says. “If someone tries to call me through a VoIP session or some other mechanism and spoof your phone number and your voice, the Dialer will say that this is not you.”
