Using Phone Contact Book Apps For Digital Research
Popular apps such as TrueCaller or GetContact advertise the ability to see who is really calling you, even if you do not know the number, and alert the app user of spam or scam calls. However, the way that these apps gather information to determine the name of an unknown caller is not as broadly advertised.
With many of these apps, this information comes as the result of vacuuming up the contact books of its users, then cross-referencing the data with other instances of the same number being used as well as with Facebook profiles that list a number.
Most of these apps are smart enough to figure out that “Mom” or “Dad” is not a useful name to display for an incoming unknown number, but will often refer to the literal name given in a contact book, which can be incomplete, derogatory, or mnemonic. For example, a 2014 article about the now-discontinued app Noknok describes how many women are labeled by insulting names, and one woman found herself on the site listed as “Ness booty call 2.”
Other phone contact books may provide more information about an individual’s background, such as in a New York Times investigation into the killing of Jamal Khashoggi that used one of these apps to reveal key information:
A fourth suspect traveled with a passport bearing the name of another member of the royal guard, Muhammed Saad Alzahrani. A search of the name in Menom3ay, an app popular in Saudi Arabia that allows users to see the names other users have associated with certain phone numbers, identified him as a member of the royal guard. A guard wearing a name tag with that name appears in a video from 2017 standing next to Prince Mohammed.
We have used these apps in our investigations as well, including in the identification of a GRU officer linked to the downing of MH17, Oleg Ivannikov. Two phone numbers we knew to be associated with this man revealed his cover identity used in Ukraine (“Andrei Ivanovich”), while another number revealed his birth name used in Russia, Ivannikov.
Using information saved through phone contact book apps is an oft-neglected resource in digital investigations, largely due to the sheer number of these apps and their invasive privacy policies.
Additionally, the vast majority of the apps in question require a phone to use them, while lacking an accessible web version of their database, making research more cumbersome. This guide will detail how to use these apps in a relatively safe context — either through an Android virtual machine or on a “burner phone” not connected to a researcher’s actual email accounts or phone number.
Getting Your Research Device Ready
To set up an emulated Android phone for your PC — in other words, a program that you run on your computer that pretends to be a phone — see this guide I wrote for instructions on using Genymotion. You can also use Bluestacks or other Android emulators, some of which have iOS versions. Not all of these contact book apps will work on an Android emulator, but most will. If you use one of these Android emulators and aren’t worried about using a real phone or phone number, feel free to skip this section.
My preferred method for researching is to use an unlocked “burner phone” — in my case, an old, dirty, cracked Nexus 5X that I haven’t used since I upgraded to a new phone in 2016. I gave the phone a factory reboot and linked it to a Gmail account created specifically for research, and without any SIM card or attached phone number. From there, via a Wifi connection, I installed a number of apps that are useful for research that I cannot necessarily do on my PC.
Some of these contact book apps require an actual phone number to do SMS verification. Many people find found success using a Google Voice number or other service to generate a phone number just for this purpose. While this will work for some sites, many platforms — namely Facebook — will recognize that a number is not “genuine” (i.e. connected to a service like Google Voice instead of a real SIM card), and will not let this number be used for verification.
I would strongly advise against using your actual phone number for this, let alone using your real phone, so I bought a SIM card through Tracfone’s website along with $20 of minutes from a nearby Dollar General. I was able to use this new SIM card/phone number with my Nexus 5X because it isn’t linked to any specific phone carrier — you may need to purchase a new phone if your old one isn’t unlocked (you can do this for as little as $20 via Tracfone or another pre-paid wireless carrier). Consult this US-focused guide created by the NoContract subreddit for more information on various phone options without a monthly contract.
At many airports, you can buy a SIM card at a machine or kiosk with pre-paid minutes. While I have not tested these out for SMS verification purposes, it is worth a try next time you are traveling and see a cheap SIM card sold in your terminal.
If you are in the United States, you can buy a Tracfone SIM card for a dollar and free shipping (at the time of publishing this article). If you are based outside of the United States and cannot buy a cheap SIM card with pre-paid minutes, or are concerned with very sensitive privacy issues, this method is not for you. In this case, you should consult other resources online for anonymously acquiring a phone number that cannot be linked back to you via credit card or telecom data. As you can see in the screenshot below, I bought the Tracfone SIM card with my personal credit card, and I did the same for the Tracfone minutes. I am not very concerned with issues of privacy around this phone, but if I were, I obviously would not go this route.
Using this cracked phone too much would take a toll on my fingers, and I already prefer to do as much research as possible on my actual PC, so I use a phone mirroring program to control this phone from my computer. There are a lot of options — some free, some paid — to do this, but I use Apowermirror (free and paid versions).
I have also had success with Airdroid (free and paid) and Microsoft Remote Desktop (free). If you want to control your phone through your PC or Mac’s mouse and keyboard, it’s best to plug in your device via USB. Device settings will differ depending on your application, but most will require you to turn on USB debugging mode (if you don’t know how to do this, add your phone model to this search). Once it’s all set up, this is what your application should look like (if it’s Apowermirror): your phone’s display, perhaps with a few extra options in the application’s interface, and the ability to use your PC’s mouse and keyboard as an input device (via the mirroring application).
Phone Contact Book Apps
There are dozens of phone contact books apps available on iOS and Android, ranging from ones that are popular all over the world (GetContact, TrueCaller) to others that are only popular in particular countries or regions. This guide will not detail every one of these apps, but will look at about a dozen of the more popular ones from the Google Play Store and detail the requirements, pros/cons, and capabilities for each of them. If you know of a popular contact book app that is not included in this guide, please note the app in the comments so we can add a section about it.
In each of these summaries, a few reference numbers are used to find results: my own phone number, the number of a London colleague, the support number for Verizon Wireless, the publicly-released cell phone number of Donald Trump, and the phone number of Russian commander/separatist Aleksandr Borodai. For the apps not focused on American users, I found public numbers that would likely be in contact books, such as public service hotlines, to see how the app gathered and published information. Obviously, this is an extremely small sample size, but it’s best to test out phone numbers relevant to your own research area to see which app is most effective.
Most of these apps require you to agree to extremely invasive privacy policies and permissions. Because we are using either a fake (emulated) phone or a “burner” phone not linked to our actual identities, feel free to accept most all of these, as it is always possible to run a factory reset on the device if the apps create any problems. If you install even half of these apps, you will have a half-dozen apps hogging your phone’s memory running in the background, and if you ever make an actual call or receive a call on this device, it will cause all of the apps to simultaneously come to life to tell you about the phone number — so, needless to say, don’t use this device for actual phone calls.
The following contact book apps are detailed in this guide, in order: GetContact, TrueCaller, CallApp, Hiya, Dalily, Tellows, Eyecon, Viewcaller, Showcaller, Whoscall. There are dozens of other contact book apps not included in this post, but they operate under roughly the same parameters as the ones detailed below.
Requirements: SMS verification, email address
Contact details: Lists one possible name, no user comments available
Success rate: 1/5 (found Borodai’s number, and every other Russian and Ukrainian number I tried to search, but was not able to even attempt to search any +1 or +44 numbers)
GetContact is one of the best, if not the best, contact book apps, despite the fact that it does not work or is banned in many countries. Most phone numbers in Russia and Ukraine, for example, will return back associated names. However, in the United States and United Kingdom (among other countries), GetContact does not even allow you to try and search numbers, likely due to legal or privacy restrictions.
You must be able to verify an SMS message to use GetContact, meaning that you should use a phone number associated with a research-only or burner phone to activate your account. I have not tried to use Google Voice or other services to try and authenticate GetContact.
While GetContact is very limited in the number of countries it will provide information for, it has a lot of information for numbers it is able to search. For example, I tried searching every number from the phone logs published by the parents of the American man who disappeared while trying to travel to eastern Ukraine. Almost every number with a Russian or Ukrainian code brought back a result on GetContact, showing how wide reaching its user base is in the region.
GetContact has a web version, but I was not able to get it to work from my phone.
Requirements: Either Google (Gmail) or a Microsoft Live account
Contact details: Only lists one possible name. Provides tags to describe number (business, personal, spam, etc.)
Success rate: 4/5 (didn’t recognize London colleague)
This is one of the only apps that does not require a mobile device to access their database of numbers. Go to truecaller.com in an incognito or private window, and from there, log into your research/non-personal Gmail or Microsoft Live account to search for numbers on your browser. In most countries, you can create a Gmail account in 30 seconds from the login screen, with the only required information being a username, password, first/last name, date of birth, and gender (no phone number or recovery email required).
After signing in, just search for a number for results — no paywall or SMS verification required.
Requirements: Google/Gmail account, Facebook account, or SMS verification
Contact details: Lists comments from users about number, gives a reliability score to number, shows how often the number was searched
Success rate: 3.5/5 (Verizon, Trump, London colleague, possibly incorrect with Borodai)
This app allows you to sign in through a few different methods — a Facebook account, Google (Gmail) account, or through SMS verification — and also heavily incorporates Facebook results to build its user database.
CallApp is complemented by a number of social features, including additional contact book details that many other apps don’t include, such as an email address. That said, with the three hits of the five options we tested, the Verizon support number showed some inaccurate information pulled from some user’s contact book and the Trump number listed a New Zealand address. The result for the London-based colleague were correct. Additionally, the Borodai search brought back a false hit for a man named “Alexsander Firsov,” though it’s possible that Borodai’s old number is now being used by someone else.
Hiya / Mr Number
Free? Subscription required
Contact details: n/a
Success rate: n/a
Hiya is ran by the same company as Mr Number, with Hiya focused more on reverse phone lookup, and Mr Number specializing in spam notification and call blocking. However, these services require a paid subscription ($1.25/month) to access their database, so we did not go any further in testing the app.
Contact details: Can search by either name or number, and also will provide all contact book information (email, etc), not just name and number
Success rate: n/a
Unlike other apps detailed in this guide, Dalily only features Arabic-speaking countries and has no use for any person outside of the Middle East or North Africa. All of the countries included in this app are seen below, along with Yemen (the very last entry).
An example of the information provided by Dalily can be seen below, with the contact book entry for the Saudi National Water Company.
Contact details: Provides a score to the number, related to spam/scam calls. Will list user-submitted comments on each number as well. Will show the number of times that a number has been searched for
Success rate: 1/5 (Only recognized Verizon)
With no required accounts or phone numbers, Tellows is very easy to use and has some of the more interesting features of any contact book app. As seen below, Tellows will provide user-submitted comments for a number, but will also show how many times a number has been searched by Tellows users.
Requirements: Valid phone number for SMS verification
Contact details: Photograph and one name for the contact
Success rate: 2/5 (Only found Trump and Verizon)
You need to have a valid phone number that can receive an SMS message to use Eyecon, but no email or social media accounts are necessary. After this, the app will ask for a name to use, but this obviously does not have to be your real identity.
To search for a number, you need to select the “Unknown” option on the top-right of the main search page. From there, type in the number that you want to search, then select “Search”. Both of these options are highlighted in yellow below.
This app could not find any of the non-U.S. numbers I searched, showing that it is quite geographically limited in its results.
Contact details: Only one name, very basic details
Success rate: 2/5 (Verizon, Trump)
One of the most bare-bones apps in this post, Viewcaller does not require any sort of authentication or login, and only gives one name for a number. The app does not provide any additional details.
Contact details: Only one name listed, comments can be submitted by users.
Success rate: 1/5 (Only recognized Verizon)
This app is very easy to use and does not have many requirements (e.g. no SMS verification, email, etc.), but also has a small database of phone numbers to work with. The only phone number of the five tested that had a return was for the Verizon Wireless support number, but it incorrectly identified its origin as Russia. A later search showed its location as Kentucky, reflecting how this app only allows one detail per number that will overlap from multiple users’ input.
Requirements: Facebook or Google (Gmail) account
Contact details: Provides main name and multiple suggestions of alternate names used in users’ contact books, sometimes provides address and other contact book details
Success rate: 1.5/5 (Recognized Verizon, had a joke Trump entry)
Whoscall requires either a Facebook or Gmail account, but these can be dummy accounts set up just to use for this app. Searching for numbers on it is a bit less intuitive as you would expect — you need to select the Keypad tab (second from the left in the bottom row of the app), type in the number you want to search, then click the auto-populated entry that will come up. In an interesting feature, Whoscall will provide a primary name for the number, but will also list other possibilities taken from users’ contact book apps under “Community Report.”
Using contact book apps is an underutilized practice in digital research, but for good reason — most researchers will need to have an extra phone number, spare Gmail and Facebook accounts, and a lot of patience to really use these resources to their fullest potential.
These apps have, and will continue to, come under fire by security researchers due to their extremely broad and deceptive information gathering practices. Kaspersky Labs’ Leonid Grustniy provided a basic overview of GetContact’s business model and dangers last year, for those curious about the broader security implications of these apps. Within this Kaspersky post is a screenshot of the GetContact app permissions, which seems like a self-parody:
Often with open source research, we look for self-published information about particular subjects, such as that which can be gleaned through business registration documents and social media profiles. However, with hundreds of thousands of mobile apps collecting private data from their users, open source research will continue to be able to gather information from these caches of data either due to the information being public (as with these apps) or being unintentionally leaked.
This trend will lead to plenty of ethical dilemmas about what information should and should not be scraped for research, and instances of even careful, security-conscious individuals having their personal information visible online — this danger will be particularly obvious to those of you who find your personal phone number attached to your name on TrueCaller or GetContact, despite never using those apps yourself.
Addition: @RanLocar noted that some contact book apps could be vulnerable to leaks regarding users’ GPS data, highlighting how you may consider using a VPN or GPS spoofing service through your phone (emulated or physical) when accessing these apps if you are particularly security-conscious.
Great piece. I do have a small addition. A short while ago I stumbled upon an open MongoDB, containing logs of API calls of a Saudi caller ID app (Dalil, as opposed to Dalily). The API calls included the LOCATION of the app user (cell+GPS)https://t.co/XSXsYTzS5v
— Ran Locar ?? (@ranlocar) April 9, 2019