Millions of Android users searched for answers about someone else’s calls. They found apps promising exactly that. And they paid for it.
Researchers at ESET uncovered the scheme. They named it CallPhantom. The 28 apps sat on Google Play. They racked up more than 7.3 million downloads before removal. One title alone topped 3 million installs. (WeLiveSecurity)
The pitch sounded simple. Enter any phone number. Pay a fee. Receive call logs, SMS records, even WhatsApp history. But the promise broke on contact with reality. No app could deliver real data from another person’s device. The output was fabricated. Random numbers paired with hardcoded names and timestamps. All generated inside the code.
But curiosity proved expensive. Users in India and across the Asia-Pacific region formed the main targets. Many apps defaulted to India’s +91 country code. They pushed UPI payments popular there. Subscriptions ranged from a few dollars to as high as $80. Some victims never saw refunds.
The apps looked ordinary enough. Simple interfaces. No requests for dangerous permissions. They didn’t need them. Because they contained zero code to fetch actual communication records. “The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number,” said ESET security researcher Lukáš Štefanko. “To unlock this supposed feature, users are asked to pay — but all they get in return is randomly generated data.” (The Hacker News)
Operation started at least by November 2025. ESET reported the full list to Google on December 16, 2025. All apps were gone by publication. Google acted. Yet the episode exposes cracks that remain in the world’s largest app store.
How the deception unfolded
Users opened an app. They typed a number. The interface teased partial results. A few fake entries appeared free. Full history required payment. One cluster of apps generated data on the spot from embedded templates. Names, country codes, call durations sat hardcoded. Random phone numbers filled the gaps. Another group asked for an email address. Supposedly the full report would arrive there. But nothing generated until money changed hands.
Some apps played extra tricks. Exit without paying? A notification popped up styled like a new email. “Your call history results have arrived,” it claimed. Tap it. Straight to the subscription page. Deception layered on deception.
Payment paths varied. Some used Google Play’s official billing. Those offered a chance at refunds. Others bypassed it entirely. They loaded hardcoded UPI links or pulled fresh ones from a Firebase realtime database. Operators could swap accounts on demand. Direct card forms appeared inside certain apps. Both tactics violated Google policy. They also left victims chasing refunds from third parties or developers who had no interest in paying back.
One app even listed a developer name suggesting ties to “Indian gov.in.” The goal was obvious. Borrow authority. Lower defenses. (Android Authority)
Analysis of the code confirmed the fraud. No network calls pulled real telecom data. No access to WhatsApp databases. The apps used Firebase Cloud Messaging for command and control. But their core function stayed social engineering. Exploit the desire to peek behind curtains. Deliver nothing of value.
Reviews on the store eventually turned sour. Users complained they received garbage data. Some demanded refunds. The pattern repeated across nearly identical titles. “Call History of Any Number.” “Call Details of Any Number.” Slight variations in spelling and packaging. All part of the same cluster. ESET assigned detection names from Android/CallPhantom.A through Android/CallPhantom.Z and beyond.
The financial toll adds up. Even at an average of €5 per low-tier subscription, millions of downloads translate to substantial revenue. Higher tiers at $80 pulled in more from the most eager marks. And because some payments bypassed Google, the company couldn’t automatically cancel or refund them all. Affected users must contact banks, payment providers, or the developers directly. Success rates remain low.
This isn’t the first time curiosity-driven scams have thrived on mobile. But the scale here stands out. Over 7 million installs on official storefronts. The apps didn’t hide in shady APK sites. They passed Google’s automated checks and manual reviews long enough to accumulate massive audiences.
Google has strengthened Play Protect and tightened policies in recent years. It requires disclosure for apps using certain billing flows. It scans for suspicious behavior. Yet CallPhantom slipped through until an external researcher flagged the full set. The episode raises fresh questions about scale. How many similar campaigns operate at smaller volumes, under the radar?
Recent coverage highlights the speed of response once exposed. Within days of ESET’s December 2025 notification, the apps vanished. Google confirmed removal. But the damage was done. And new reports from this week show the story spreading fast. (Help Net Security, published May 7, 2026)
Experts warn that similar tactics could evolve. Replace call logs with bank transaction lookups. Or social media activity. The bait changes. The mechanism stays constant. Promise impossible access. Collect payment. Deliver random strings dressed as secrets.
Users who paid through Google Play billing still hold some recourse. They can visit the Play Store app, tap their profile, navigate to Payments & subscriptions, and cancel active subscriptions. Refunds depend on timing and policy. Those who entered card details directly or paid via third-party UPI apps face steeper hurdles.
The broader lesson cuts deeper. Android’s open nature invites innovation. It also invites abuse. Developers can ship apps with minimal permissions yet still extract money through pure psychology. No spyware. No data theft. Just lies that sound plausible enough.
Štefanko and his team at ESET classified the family under multiple CallPhantom variants. Their report stands as the definitive account so far. It details every payment screen, every hardcoded template, every Firebase interaction. The technical depth leaves little room for doubt. These weren’t buggy tools. They were built to mislead from the first line of code.
Industry insiders tracking mobile fraud see echoes of older premium SMS scams and fake antivirus campaigns. But this version feels more modern. It leans on app store legitimacy. It exploits a specific cultural curiosity about phone records common in certain markets. And it times the ask perfectly. Tease the data. Then block it behind a paywall.
What happens next? Google will likely audit similar query tools more aggressively. Researchers will hunt for copycats. Users, one hopes, will grow more skeptical of any app claiming to reveal private records from arbitrary numbers. Because technically, it’s impossible without cooperation from carriers or the device owner. And no legitimate service offers it for a few dollars.
CallPhantom didn’t steal data. It didn’t need to. It simply sold the idea of it. And millions bought the story before the curtain fell.
WebProNews is an iEntry Publication