Twenty-eight apps sat on Google Play. They promised the impossible. Users could view call histories, SMS records, and even WhatsApp logs for any phone number. Curiosity did the rest. Over 7.3 million downloads followed. Payments poured in. What users received was random noise dressed up as data.
The operation, tracked as CallPhantom by researchers at ESET, preyed on a simple human impulse. Who hasn’t wondered what calls a certain number has made? The apps delivered nothing real. But the charges stuck. Some hit as high as $80. And for many victims, getting money back looks difficult.
Curiosity Meets Subscription Traps
The scheme operated with surprising simplicity. Apps featured clean interfaces. They requested no dangerous permissions. No code existed to pull actual phone records. Instead, developers hardcoded names, Indian country codes, and templates. Random numbers filled in the gaps. Timestamps and durations completed the illusion.
Users entered a phone number. Partial fake results appeared first. Full access required payment. Some apps pushed subscriptions through Google Play’s official system. Others bypassed it entirely. They directed users to third-party UPI apps popular in India, including PhonePe and Paytm. A few embedded card checkout forms directly. All these off-platform methods violated Google’s rules. They also left victims without easy refunds.
One cluster generated fake logs immediately after payment. Another asked for an email address first. No data arrived until money changed hands. If users tried to leave without paying, deceptive notifications popped up. “Your call history has been sent,” they claimed. Taps led straight back to the subscription page. Classic pressure tactic.
Lukáš Štefanko, the ESET security researcher who led the investigation, described the core deception clearly. “The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number,” he said in the ESET report. “To unlock this supposed feature, users are asked to pay — but all they get in return is randomly generated data.”
One app alone racked up more than 3 million downloads. Its package name read like gibberish: calldetaila.ndcallhisto.rytogetan.ynumber. Others carried titles such as “Call History of Any Number” or “Phone Call History Tracker.” At least one listed its developer as “Indian gov.in” to borrow credibility. None had any government ties.
Negative reviews piled up on the store pages before removal. Users complained of scams. They reported fabricated data and unauthorized charges. Yet downloads kept climbing. Fake positive reviews and the apps’ presence on the official store lent them legitimacy. The campaign appears to have run since at least November 2025. ESET reported the apps to Google on December 16, 2025, through its App Defense Alliance partnership. All 28 disappeared from Google Play by early May 2026.
Subscriptions handled through official Google billing were canceled after removal. Refunds remain possible within policy windows. But users who paid via UPI apps or entered card details directly face steeper hurdles. They must chase banks, payment providers, or the shadowy developers. Google holds no sway over those transactions.
The targeting focused on India and the wider Asia-Pacific region. Many apps defaulted to the +91 country code. They integrated UPI support. This wasn’t random. The operators understood local payment habits and tailored the fraud accordingly.
But CallPhantom doesn’t stand alone. It reflects a broader pattern of mobile fraud that exploits trust in official app stores. Just weeks earlier, reports highlighted similar tactics elsewhere in the region. A separate campaign in Indonesia, tracked by Group-IB, stole an estimated $2 million. Fraudsters posed as the country’s tax authority and 16 other trusted brands. They sent fake apps via WhatsApp. Victims sideloaded the APKs. Malware such as Gigabud RAT, MMRat, and Taotie followed. The code harvested data, enabled account takeovers, and drained accounts.
“The attack chain integrates phishing websites, social engineering (WhatsApp), malicious APK sideloading, and voice phishing (vishing) to achieve full device compromise and unauthorized transfer execution,” Group-IB analysts wrote in their analysis, as reported by The Hacker News. The infrastructure abused multiple brands to hit Indonesia’s population of roughly 287 million.
These incidents expose cracks in mobile security. Official stores scan submissions. Yet sophisticated social engineering and polished fake functionality still slip through. CallPhantom apps needed no spyware capabilities. Their power came from psychology and billing tricks. No call logs were stolen. No devices were compromised in the traditional sense. The damage was purely financial. And it scaled to millions.
Researchers noted two distinct clusters within the 28 apps. The first showed partial fake results upfront. The second delayed everything until after email collection and payment. Both relied on hardcoded data or simple randomization. One technique pulled control information from a Firebase realtime database. Operators could rotate payment accounts without updating the apps. That flexibility kept the scheme alive longer.
Security teams advise immediate checks for anyone who downloaded similar utilities. Review Google Play subscriptions. Examine bank statements for unfamiliar charges. Dispute where possible. But prevention beats recovery. Avoid apps promising access to private data that carriers and platforms guard closely. Real call history for arbitrary numbers isn’t available through consumer apps. Claims otherwise should raise immediate flags.
Google removed the apps promptly once notified. The company also canceled linked subscriptions. Yet the episode underscores persistent challenges. Bad actors test boundaries. They ship simple scams that don’t trigger malware detectors. They combine them with aggressive monetization. Users in high-trust environments like official stores lower their guard.
Štefanko and his team emphasized the human element. “These apps… falsely promise to retrieve call logs, SMS records, and WhatsApp call history for any phone number, a technically impossible claim designed solely to exploit people’s curiosity and mislead them into paying,” the researcher noted. Many apps sidestepped official billing. That choice complicated refunds and increased victim losses.
The financial toll remains hard to quantify precisely. With 7.3 million installs and conversion rates even in the low single digits, losses could reach millions of dollars. Especially when top-tier subscriptions commanded $80. Third-party payments shielded operators from platform oversight. They also shielded them from easy victim recourse.
This case adds to growing warnings about Android threats in 2026. Earlier analyses from firms like Kaspersky highlighted NFC skimming, pre-installed trojans, and messaging-based malware distribution. Yet CallPhantom stands out for its reliance on legitimate distribution channels and absence of traditional malicious code. It succeeded through deception alone.
Industry observers expect more variants. As detection improves for overt malware, fraudsters shift toward these lighter scams. They require less technical sophistication but deliver steady revenue. The barrier to entry drops. The potential audience grows with every new smartphone.
Users hold some power. Scrutinize permissions. Read recent reviews before installing. Question any app that offers forbidden knowledge about others’ communications. And when an offer seems too intriguing to ignore, pause. The data it promises probably doesn’t exist. The charge, however, will.
Google continues to refine its Play Store protections. Partnerships like the App Defense Alliance surface threats faster. But the volume of submissions makes perfect screening impossible. Responsibility spreads across platforms, developers, and end users. In this instance, the platform reacted. The developers profited first. Users paid the price.
WebProNews is an iEntry Publication