VYPR
breachPublished May 8, 2026· Updated May 17, 2026· 1 source

"CallPhantom" Android Scam Apps Defrauded Millions with Fake Data Promises

A campaign of 28 fraudulent Android apps, downloaded over 7.3 million times, tricked users into paying for fake call history data before being removed from the Google Play Store.

A campaign of 28 fraudulent Android applications, collectively downloaded over 7.3 million times from the Google Play Store, has been identified as a sophisticated scheme to defraud users through fake services. Dubbed "CallPhantom" by researchers at ESET, the campaign primarily targeted users in India and the broader Asia-Pacific region, operating since at least November 2025 The Hacker News.

The applications functioned by promising users the ability to access sensitive information, such as call histories, SMS records, and WhatsApp logs, for any phone number. To gain access to these non-existent features, users were prompted to make payments. Once the financial transaction was completed, the apps provided only randomly generated, fabricated data that was hardcoded into the software, rather than any legitimate records The Hacker News.

The threat actors employed various deceptive tactics to gain user trust, including publishing at least one application under the developer name "Indian gov.in" to masquerade as an official government utility. The apps utilized two primary methods to extract money: some leveraged the official Google Play Store billing system for recurring subscriptions, while others utilized third-party platforms supporting Unified Payment Interface (UPI) transactions The Hacker News.

In a secondary variation of the scam, some apps required users to input their email addresses, promising that the requested call logs would be delivered to their inbox. Similar to the primary method, these apps withheld all data until a payment was processed, at which point the victim received nothing of value. The scale of the operation was significant, with one individual app accounting for more than 3 million of the total 7.3 million downloads The Hacker News.

Following the discovery by ESET, the 28 identified applications have been removed from the Google Play Store. While the specific list of removed packages includes titles such as "Call History Pro" and various iterations of "Call History of Any Number," the incident highlights the ongoing challenge of malicious actors exploiting the trust users place in mobile app marketplaces The Hacker News.

This campaign underscores a persistent trend in mobile threat landscapes where attackers leverage social engineering and the promise of illicit data access to monetize fraudulent services. As these apps often mimic legitimate utility tools, users are encouraged to exercise caution regarding apps that claim to provide unauthorized access to private communication data, as such services are inherently suspicious and frequently serve as vehicles for financial fraud The Hacker News.

Synthesized by Vypr AI