So apparently Android lets your app make outbound phone calls in multiple ways (as always), the most basic ones are either via activity with android.intent.action.CALL intent, which pulls up the dialer and fires off a phone call, or via ITelephony.call() library call. Both normally require android.permission.CALL_PHONE, unless you figure out a way to dodge the permission checks, but the former is harder to detect. While you can simply grep for the ITelephony case, the other one – action called with an intent – requires some control flow tracing, which gets messy fast. Of course, both can be obfuscated, but that is a different can of worms for another day.

Bottom line – every piece of information extracted from an Android APK carries some value – intents, activities, library calls, anything – because only the careful juxtaposition of all these types of facts lets us judge one way or another about an app.