Millions of Android users downloaded apps promising something that should be impossible: the full call, SMS and even WhatsApp call history for any phone number. Those apps existed on Google Play. The call logs did not.
Security researchers at ESET uncovered 28 fraudulent apps — grouped under the name CallPhantom — that together accumulated more than 7.3 million installs before Google removed them. The scheme was simple, shameless and alarmingly effective: lure curiosity, ask for payment, then show fabricated results.
The trick, in plain sight
CallPhantom apps came in different skins but used the same core mechanics. A user types a phone number, the app teases a lookup, then prompts for payment to “unlock” the history. Some apps generated and displayed a handful of fake entries pulled from hardcoded names, timestamps and templates embedded in the code; others asked for an email address and promised the results would be sent there after paying. In both cases the data was fake — randomly generated phone numbers or fixed entries masquerading as real logs.
One particularly bold touch: at least one publisher listed themselves as “Indian gov.in” to feign trust. Many of the apps set India’s +91 country code as the default and integrated India-centric payment methods, suggesting the campaign targeted users in India and the wider Asia-Pacific region.
ESET researcher Lukáš Štefanko says the activity appears to have been active since at least November 2025, and that deceptive UI elements were used to squeeze more payments — for example, fake “new email” notifications that would bring users back to a subscription screen if they tried to leave.
How victims were charged
Operators used three payment approaches:
- Google Play’s official billing (subscriptions). These purchases are subject to Google’s refund mechanisms.
- Third‑party payment apps supporting UPI (popular in India), such as Google Pay, PhonePe and Paytm — integration was sometimes hardcoded or fetched dynamically from remote config, allowing operators to switch accounts.
- Direct card checkout forms built into the apps themselves.
- If you subscribed through Google Play billing: open the Play Store, tap your profile → Payments & subscriptions → Subscriptions and cancel any active subscriptions. You may be eligible for a refund under Google’s policies depending on timing and payment method.
- If you paid via a third‑party UPI app or entered card details inside the app: Google cannot issue refunds for those transactions. Contact the payment provider (your bank, UPI app or card issuer) and file a dispute. If the payment went through a third‑party UPI account, reach out to the UPI service for guidance.
- Keep an eye on bank and card statements for unauthorised charges and report suspicious activity immediately.
- Any app claiming to reveal another person’s private call or message history is selling a fantasy. No legitimate app can lawfully or technically provide that for arbitrary numbers.
- Check payment flows: if an app asks you to leave Play and use an external checkout or a third‑party payment link, be suspicious.
- Read reviews carefully and look for repeated complaints about scams or hidden subscriptions.
The last two methods violate Play Store payments policy and make refunds harder or impossible through Google. Subscription prices ranged widely — from around €5 for the cheapest tiers to as much as US$80 for high-end offerings.
Why Play Store approval matters — and how it still fails
These apps didn’t request intrusive Android permissions because they didn’t need them: there was no real capability to retrieve someone else’s call or message records. Instead the fraud relied on social engineering and a veneer of legitimacy — screenshots, a basic UI and some fake positive reviews.
The episode is a reminder that even the official app store can serve as a megaphone for scams if malicious publishers slip through review. (For background on Google’s broader Play Store policy struggles and sideloading debate, see how Google is reshaping sideloading rules and Play features in recent updates.)
What ESET found under the hood
ESET’s analysis lists the 28 offending package names, sample APK hashes and even network infrastructure details. The apps used Firebase realtime databases for remote configuration and command-and-control, which allowed the operators to change payment links or behavior after deployment.
After ESET reported the apps as an App Defense Alliance partner, Google removed the flagged packages.
If you paid: practical next steps
A few practical defenses
Curiosity is human, but some red flags should stop you cold:
If you want a safer app ecosystem, Google’s ongoing Play changes matter — both the store’s internal policies and the broader sideloading debate shape how easily scams can spread and how quickly victims can get refunds. You can read more about Google Play’s evolving features and policy shifts in recent coverage of Play’s new initiatives and sideloading roadmap.
CallPhantom wasn’t advanced malware; it was social engineering wrapped in a low-effort shell. That made it cheaper to run and, sadly, effective at scale. The clean takeaway: when an app promises something that sounds illegal or too good to be true, treat it like a red flag — and when in doubt, don’t hand over your payment details.
