The Scope of the CallPhantom Campaign
Cybersecurity researchers at ESET, a Slovakian security firm, uncovered a sprawling network of 28 fraudulent applications on the official Google Play Store. These apps collectively accumulated over 7.3 million installations before their removal. One single application accounted for more than 3 million downloads alone. The operation, internally codenamed CallPhantom, primarily focused on Android users in India and the broader Asia-Pacific region.
ESET security researcher Lukáš Štefanko documented the findings. He explained that these fake call history apps promised access to call logs, SMS records, and even WhatsApp call history for any phone number. Users only needed to pay a fee to unlock this feature. In reality, the apps delivered nothing but randomly generated data pulled from hardcoded source code.
The activity may have been active since at least November 2025. That timeline suggests the scammers operated undetected for many months before researchers flagged the behavior to Google.
The Mechanics Behind the Scam
Understanding how these fake call history apps operated helps illustrate why so many people fell victim. The apps presented a simple, clean interface. They did not request any sensitive permissions from the device. That alone made them harder to flag as malicious compared to apps that ask for contacts, camera, or microphone access.
A user would enter a phone number they wanted to investigate. The app would then display a prompt asking for payment to reveal the call history details. Once the user completed the transaction, the app served up fabricated phone numbers and names. These fake records were embedded directly into the application’s source code. No real data ever existed behind the paywall.
Two Distinct App Clusters
ESET identified two separate approaches among the fraudulent apps. The first cluster operated exactly as described above. Users paid, and the app showed fake call logs within the interface.
The second cluster worked slightly differently. These apps asked users to enter their email address. The app claimed it would send the call history details to that email inbox. Again, no data was generated until a payment was made. After payment, the same fabricated records were delivered via email or simply displayed on screen. The email collection tactic added a layer of false legitimacy, making the scam feel more official to unsuspecting victims.
Deceptive Developer Names and False Trust
At least one of the flagged apps was published under the developer name Indian gov.in. This was a deliberate attempt to build a false sense of authority and trust. Many users in India would naturally assume an app from a developer with that name had some official government backing. The scammers exploited that assumption ruthlessly.
This tactic is not new in the world of online fraud, but it remains effective. People are more likely to trust something that appears to come from a recognized institution. The scammers understood this psychological shortcut and weaponized it to drive downloads and payments.
Payment Methods and Subscription Traps
The fake call history apps used three distinct payment methods to collect money from victims. Each method carried its own risks for the user and its own violations of Google’s policies.
Google Play Store Official Billing
Some apps used Google Play Store’s official subscription billing system. This meant payments went through Google’s own infrastructure. Subscription plans ranged from about $6 to $80, depending on the app and the duration of access promised. Users who subscribed through this method could theoretically request refunds through Google, though the process is not always straightforward.
Third-Party UPI Apps
Other apps relied on third-party Unified Payments Interface (UPI) applications. The list included Google Pay, PhonePe, and Paytm. These are widely used payment platforms in India. The apps would redirect users to these UPI services to complete transactions. This approach violated Google’s policy because it circumvented the Play Store’s own billing system. Google typically takes a 15 to 30 percent cut of in-app purchases, so apps that bypass this system also cost Google revenue.
Payment Card Checkout Forms
A third method involved embedded payment card checkout forms directly inside the apps. Users entered their credit or debit card details into forms that appeared to be part of the app itself. This approach posed significant security risks. Users had no guarantee that their card information was encrypted or handled securely. This method also violated Google’s payment policies.
Deceptive Notifications and Psychological Pressure
Some apps employed an additional trick to convert hesitant users into paying customers. If a user exited the app without completing a payment, the app would display a deceptive notification. The notification claimed that the call history had been sent to the user’s email address. Curious users would tap the notification, which redirected them straight to a subscription screen.
This tactic exploited the user’s curiosity and fear of missing out. The notification created the impression that data existed and was waiting for them. In reality, no data was ever generated until payment occurred. The notification was nothing more than a lure designed to drag users back into the payment funnel.
The Full List of Identified Apps
ESET published the complete list of 28 apps involved in the CallPhantom campaign. While the apps have been removed from the Google Play Store, knowing their names helps users check whether they may have downloaded one in the past. The apps included variations of names like Call History of Any Number, Call Details of Any Number, Phone Call History Tracker, and Call History Pro. Several apps had nearly identical names, making it difficult for users to distinguish legitimate tools from fraudulent ones.
Some of the package names listed by ESET included com.pixelxinnovation.manager, com.app.call.detail.history, com.basehistory.historydownloading, and com.call.of.any.number. The full list contains many more, all following similar naming conventions. If you downloaded any app claiming to show call history for any number around late 2025 or early 2026, it is worth checking your download history against this list.
What Makes These Apps Particularly Dangerous
The fake call history apps in the CallPhantom campaign were dangerous for several reasons beyond the obvious financial loss. First, they did not request sensitive permissions. Most security advice tells users to be wary of apps that ask for too many permissions. These apps asked for almost none. That made them fly under the radar of both users and automated security scanners.
Second, the apps used official Google Play Store infrastructure for distribution. Users generally trust the Play Store to screen apps for malicious behavior. While Google does have security measures like Google Play Protect, determined scammers often find ways to slip through. This incident shows that the Play Store is not a perfect filter.
Third, the financial damage could accumulate. Subscription plans ranged up to $80. Some users may have subscribed to multiple apps before realizing the scam. Others may have forgotten to cancel recurring subscriptions, leading to repeated charges over several months.
Protecting Yourself from Similar Scams
While Google has removed these specific apps, similar scams will almost certainly appear again. The CallPhantom campaign demonstrates a profitable blueprint that other fraudsters may copy. Here are practical steps to avoid falling victim to similar schemes in the future.
Question Impossible Promises
Any app that claims to provide call history, SMS records, or WhatsApp logs for any phone number is making an impossible promise. Mobile carriers do not make this data publicly available. WhatsApp does not expose call logs to third parties. If an app claims to do something that seems technically impossible, it is almost certainly a scam. Trust your skepticism.
You may also enjoy reading: Norway’s $2.2 Trillion Sovereign Wealth Fund Sees 1.9% Loss.
Check Developer Reputation
Before downloading any app, check the developer’s name and history. A developer named Indian gov.in or similar official-sounding names should raise red flags. Legitimate government apps are typically published under verified developer accounts with clear documentation. Look for apps with a long history of positive reviews and a substantial number of downloads. Be especially cautious of apps from developers with no other published apps or with newly created accounts.
Read Reviews Carefully
User reviews can reveal a lot about an app’s true nature. Look for reviews that mention fake data, unexpected charges, or deceptive behavior. Be aware that scammers sometimes post fake positive reviews to boost their app’s rating. Focus on recent reviews and look for patterns in negative feedback. If multiple users report the same problem, take it seriously.
Avoid Apps That Require Payment for Impossible Features
If an app asks for money to unlock a feature that seems too good to be true, pause before entering any payment information. Ask yourself whether the feature is technically feasible. For call history access, the answer is almost always no. No legitimate app can provide call logs for any arbitrary phone number. The only entity that has that data is the mobile carrier, and they do not sell it through Play Store apps.
Monitor Your Subscriptions
Regularly check your Google Play Store subscriptions. Open the Play Store app, tap your profile icon, select Payments and subscriptions, then Subscriptions. Review the list of active subscriptions. If you see any that you do not recognize or did not intentionally sign up for, cancel them immediately. You can also request refunds for fraudulent charges through Google’s support system.
What to Do If You Were Affected
If you downloaded one of the CallPhantom apps and made a payment, take action promptly. The apps have been removed from the Play Store, and subscriptions should have been canceled as part of that removal. However, it is wise to verify this yourself.
Check your Google Play Store subscriptions list to confirm no active subscriptions remain. If you find one still active, cancel it and request a refund. Google’s refund policy for fraudulent apps typically favors the user, especially when the app has been removed for policy violations.
If you used a third-party UPI app like Google Pay, PhonePe, or Paytm, check your transaction history. Look for any payments to developers you do not recognize. You can report fraudulent transactions through the UPI app’s support channels. In India, you can also file a complaint with the National Cyber Crime Reporting Portal at cybercrime.gov.in.
If you entered credit or debit card details into an embedded checkout form inside one of these apps, monitor your bank statements closely for unauthorized charges. Consider contacting your bank to request a new card if you are concerned about your card details being compromised. The apps may have stored your payment information insecurely.
Finally, run a security scan on your Android device using a reputable mobile security app. While the CallPhantom apps did not request sensitive permissions and did not appear to install malware, it is better to be safe. A scan can detect any other suspicious apps that may have been installed alongside or after the fraudulent one.
The Broader Implications for Android Security
The CallPhantom campaign highlights a persistent challenge for the Android ecosystem. Google Play Store remains the most trusted source for Android apps worldwide. Yet malicious apps continue to slip through security checks. The 7.3 million downloads in this campaign represent a significant number of potential victims.
Google has improved its app review processes over the years. Google Play Protect scans billions of apps daily. But scammers adapt quickly. They create apps that do not request permissions, that use simple interfaces, and that hide their true purpose until after payment. These characteristics make them harder to detect through automated scanning alone.
For users, the lesson is clear. Trust in the Play Store must be balanced with personal vigilance. No platform can guarantee 100 percent safety. Developing a healthy skepticism toward apps that promise extraordinary capabilities is the best defense.
The ESET report serves as a valuable reminder that cybersecurity threats often hide in plain sight. The apps looked ordinary. They had simple names and straightforward interfaces. They did not trigger any obvious alarms. Yet behind that ordinary appearance lay a well-organized scheme designed to extract money from unsuspecting users.
As mobile payment systems become more integrated into everyday life, scams like CallPhantom will likely become more common. The combination of easy payments through UPI and the trust users place in official app stores creates a fertile environment for fraud. Staying informed about current threats and maintaining cautious habits are the best ways to protect yourself and your family.
If you have any doubts about an app, do not download it. If an app asks for payment for an impossible feature, do not pay. And if you suspect you have already been affected, take the steps outlined above to limit the damage. The 7.3 million downloads in this campaign show that many people were caught off guard. With greater awareness, you can avoid becoming part of the next statistic.
