Security experts have uncovered a collection of deceptive applications on Google’s official Android app marketplace that promised users the ability to view call logs for any phone number. In reality, these apps lured people into paying for subscriptions that delivered nothing but fabricated information, resulting in monetary losses for victims.
Together, these 28 applications accumulated over 7.3 million installations, with a single app surpassing 3 million downloads before Google removed them from the Play Store. The campaign, labeled CallPhantom by ESET, a cybersecurity firm based in Slovakia, mainly affected Android users across India and the wider Asia-Pacific area.
“We identified these apps as CallPhantom due to their misleading promises. They claim to offer access to call logs, text messages, and even WhatsApp call records for any given phone number,” explained ESET researcher Lukáš Štefanko in a report provided to The Hacker News. “To access this alleged feature, users must pay, but they only receive randomly generated fake data in return.”
The following is the complete list of identified applications –
- Call history : any number deta (calldetaila.ndcallhisto.rytogetan.ynumber)
- Call History of Any Number (com.pixelxinnovation.manager)
- Call Details of Any Number (com.app.call.detail.history)
- Call History Any Number Detail (sc.call.ofany.mobiledetail)
- Call History Any Number Detail (com.cddhaduk.callerid.block.contact)
- Call History Of Any Number (com.basehistory.historydownloading)
- Call History of Any Numbers (com.call.of.any.number)
- Call History Of Any Number (com.rajni.callhistory)
- Call History Any Number Detail (com.callhistory.calldetails.callerids.callerhistory.callhostoryanynumber.getcall.history.callhistorymanager)
- Call History Any Number Detail (com.callinformative.instantcallhistory.callhistorybluethem.callinfo)
- Call History Any Number detail (com.call.detail.caller.history)
- Call History Any Number Detail (com.anycallinformation.datadetailswho.callinfo.numberfinder)
- Call History Any Number Detail (com.callhistory.callhistoryyourgf)
- Call History Any Number (com.calldetails.smshistory.callhistoryofanynumber)
- Call History Any Number Detail (com.callhistory.anynumber.chapfvor.history)
- Call History of Any Number (com.callhistory.callhistoryany.call)
- Call History Any Number Detail (com.name.factor)
- Call History Of Any Number (com.getanynumberofcallhistory.callhistoryofanynumber.findcalldetailsofanynumber)
- Call History Of Any Number (com.chdev.callhistory)
- Phone Call History Tracker (com.phone.call.history.tracke)
- Call History- Any Number Deta (com.pdf.maker.pdfreader.pdfscanner)
- Call History Of Any Number (com.any.numbers.calls.history)
- Call History Any Number Detail (com.callapp.historyero)
- Call History – Any Number Data (all.callhistory.detail)
- Call History For Any Number (com.easyranktools.callhistoryforanynumber)
- Call History of Numbers (com.sbpinfotech.findlocationofanynumber)
- Call History of Any Number (callhistoryeditor.callhistory.numberdetails.calleridlocator)
- Call History Pro (com.all_historydownload.anynumber.callhistorybackup)
One of the suspicious apps was uploaded under the developer name “Indian gov.in” to create a false impression of legitimacy and deceive users into installing it.
However, this disguise conceals a malicious intent: victims are prompted to pay in order to view call and SMS details for any phone number. After payment, they receive entirely made-up phone numbers and names hardcoded into the app’s source code. Evidence suggests this scheme has been operating since at least November 2025.
A second group of these apps was found to ask users for their email address, promising to send the requested phone number details there. Just like the previous scenario, no data is produced until payment is completed.
Payments were processed either through subscriptions via Google Play’s official billing system or through third-party apps supporting Unified Payments Interface (UPI), a popular instant payment method in India. Ironically, this includes Google Pay, Walmart-owned PhonePe, and Paytm. A third option involved payment card checkout forms embedded directly within the apps. The latter two methods violate Google’s policies.
In at least one instance, the apps employed an additional tactic to pressure users into paying. If someone tried to leave the app without paying, it would show a fake notification claiming that call history for a specific phone number had been successfully emailed to them. Tapping the notification would redirect the user straight to a subscription page.
Subscription costs varied between apps, ranging from roughly $6 to $80. Users who fell victim to this scam should have had their subscriptions terminated once the apps were removed from Google Play.
What sets this campaign apart is that the apps featured a straightforward interface and did not request any sensitive permissions. To make matters worse, they lacked any actual functionality to retrieve call, SMS, or WhatsApp data.
“Users who subscribed through Google Play’s official billing may qualify for refunds under Google’s refund policy,” ESET noted. “However, purchases made via third-party payment apps or direct card entry cannot be refunded by Google, leaving users reliant on external payment providers or the developers themselves.”
This revelation follows Group-IB’s report that threat actors have stolen an estimated $2 million from Indonesian users through a fraud campaign impersonating the country’s tax platform, CoreTax, and other trusted brands. The campaign, which started in July 2025, has been attributed to a financially driven threat group known as GoldFactory.
“The attack chain combines phishing websites, social engineering via WhatsApp, malicious APK sideloading, and voice phishing (vishing) to achieve full device compromise and execute unauthorized transfers,” Group-IB stated.
Broadly speaking, these attacks use social engineering to spread fake apps through WhatsApp. Once installed, they deploy Android malware such as Gigabud RAT, MMRat, and Taotie, which can harvest sensitive data and download additional payloads. The stolen information is then leveraged for account takeover attacks and financial fraud.
“The malware infrastructure behind this fraud campaign is not confined to a single impersonated service. The same infrastructure has been seen actively abusing more than 16 trusted brands, collectively targeting Indonesia’s population of approximately 287 million,” Group-IB added.
