-
ESET researchers exposed 28 fraudulent Android apps, collectively tagged as CallPhantom, that deceived over 7.3 million users into paying for entirely fabricated call history data.
-
The apps promised access to call records, SMS logs, and WhatsApp histories for any phone number, but delivered only randomly generated fake data after collecting payment.
-
Google removed all identified apps following ESET’s report, but researchers warn that more such apps likely still exist.
App stores have become a hunting ground for scammers, and millions of Android users just learned that the hard way. Slovak cybersecurity firm ESET has exposed a network of 28 fraudulent apps that collected payments by promising something they could never deliver: access to anyone’s call history.
ESET Uncovers 28 Fraudulent Apps with 7.3 Million Downloads
ESET researchers identified the apps collectively as CallPhantom. These apps claimed they could retrieve call histories, SMS records, and even WhatsApp call logs for any phone number a user supplied.
According to ESET, the 28 apps primarily targeted Android users in India and the broader Asia-Pacific region, racking up more than 7.3 million downloads combined, with one single app accounting for over 3 million of those downloads.
ESET reported its findings to Google, and the tech giant removed all identified apps from the Play Store shortly after. Researchers caution, however, that more such apps likely remain undetected.
The investigation started in November when ESET came across a Reddit post about an app called Call History of Any Number. The app carried the developer name “Indian gov.in,” suggesting a link to the Indian government, though no such association existed.
The Apps Sold Fabricated Data and Bypassed Google’s Payment System
ESET’s analysis revealed that every piece of “call history” the apps delivered was entirely made up. The apps generated random phone numbers and paired them with fixed names, call durations, and timestamps, all embedded directly into the code. Users only saw this fabricated data after completing payment.
According to ESET, the apps featured a simple interface and requested no sensitive or intrusive permissions from users. That was by design. The apps contained no real functionality capable of retrieving actual call records, SMS logs, or WhatsApp data. Everything was theater.
Some CallPhantom apps also bypassed Google Play’s official billing system, making it significantly harder for victims to request refunds. Three separate payment methods appeared across the apps, and several relied on third-party platforms supporting UPI, a payment system widely used in India.
The apps offered weekly, monthly, and yearly subscription plans, with prices ranging from an average of €5 (roughly $5.90) at the lowest tier to as high as $80 at the top. Negative reviews flooded the apps quickly, with users reporting they had been scammed and never received the promised data.
The impact of this scam adds to a concerning trend of large-scale user data exposures. Aura, a security company, recently suffered a data breach exposing 900,000 users’ personal information after a successful phishing attack, a reminder that even security-focused companies are not immune.
Scammers Exploited Curiosity and Planted Fake Positive Reviews
ESET noted that the scam worked precisely because it tapped into something universal: human curiosity about private information. Researchers say scammers boosted credibility by adding fake five-star reviews to make the service look legitimate. Curiosity, combined with manufactured social proof, did the rest.
The CallPhantom case adds to a growing list of scam apps that slip through app store screening. The lesson for users is straightforward. Any app promising access to someone else’s private records is a red flag, not a feature. No legitimate tool can do that; paying for one will only give you a receipt, nothing more.
