Outgoing communications from a user device are monitored following a notification that an application is installed on a user device. When a number of the outgoing communications to a premium-rate number during a predetermined period of time exceeds a corresponding quantity threshold, the pattern of the outgoing communications may be ascertained to be anomalous. A user device is directed to present a prompt that requests an input as to whether the outgoing communications are authorized. In response to a first input that the outgoing communications are unauthorized, additional outgoing communications from the user device to the premium-rate number are blocked for a predesignated amount of time. Further, the first input is stored as a corresponding vote that the application is malicious. In response to a second input that the outgoing communications are authorized, the second input is stored as a corresponding vote that the application is non-malicious.