CallPhantom: 28 Fraudulent Android Apps on Google Play Tricked 7.3 Million Users with Fake Call Logs
ESET researchers uncovered 28 fraudulent Android apps on Google Play, collectively named CallPhantom, that tricked over 7.3 million users into paying for fake call logs and SMS records generated from hardcoded data.
ESET researchers have identified a widespread scam campaign on Google Play involving 28 fraudulent Android apps, collectively dubbed CallPhantom. These apps falsely claim to provide access to call logs, SMS records, and WhatsApp call history for any phone number, but instead generate entirely fabricated data from hardcoded values after users pay a subscription fee. Cumulatively downloaded over 7.3 million times, the apps primarily targeted users in India and the Asia-Pacific region.
The investigation began in November 2025 when ESET came across a Reddit post discussing an app named 'Call History of Any Number' on Google Play. The app, published under the developer name 'Indian gov.in' but with no real association with the Indian government, claimed to retrieve call history for any supplied number. Analysis revealed that the app generated random phone numbers matched with fixed names, call times, and durations embedded directly in the code. This fake data was presented to victims only after payment.
Further research uncovered 27 additional related apps, all operating on the same principle. Despite visual differences, each app's purpose was identical: generate fake communication data and charge victims for access. The apps did not request any intrusive permissions, as they had no actual functionality to retrieve real data. ESET reported the full set of fraudulent apps to Google on December 16, 2025, and all have since been removed from the store.
The CallPhantom apps employed three different payment methods, some of which violated Google Play's payments policy. Some used Google Play's official billing system, while others relied on third-party UPI payment apps or included direct payment card checkout forms. The latter two methods bypassed Google's billing system, complicating refund efforts for victims. In one case, the apps fetched payment URLs dynamically from a Firebase realtime database, allowing operators to change the payment account at any time.
The apps garnered numerous negative reviews from victims who reported being scammed. It is unclear how the apps were promoted, but ESET suggests that the promise of accessing private information, combined with fake positive reviews, likely exploited users' curiosity. The campaign highlights the ongoing challenge of fraudulent apps on official app stores and the importance of user vigilance.
Google has removed all reported apps, but the incident underscores the need for continued monitoring and enforcement. Users are advised to be skeptical of apps that claim to provide access to private data, especially those requiring payment upfront. ESET's findings serve as a reminder that even apps on official stores can be malicious, and users should rely on trusted security solutions and reviews from verified sources.