Cybersecurity researchers have recently unearthed a troubling trend involving fraudulent applications on the official Google Play Store for Android devices. These deceptive apps falsely advertised their ability to grant users access to call histories for any phone number, ultimately luring them into subscription services that delivered nothing but fabricated data and financial losses.
Scope of the Fraudulent Activity
The investigation, led by the Slovakian cybersecurity firm ESET, has identified a total of 28 apps that have amassed over 7.3 million downloads, with one app alone accounting for more than 3 million of those. The operation, dubbed CallPhantom, primarily targeted Android users in India and the wider Asia-Pacific region.
ESET security researcher Lukáš Štefanko elaborated on the findings, stating, “The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number. To unlock this supposed feature, users are asked to pay — but all they get in return is randomly generated data.”
List of Identified Apps
- Call history : any number deta (calldetaila.ndcallhisto.rytogetan.ynumber)
- Call History of Any Number (com.pixelxinnovation.manager)
- Call Details of Any Number (com.app.call.detail.history)
- Call History Any Number Detail (sc.call.ofany.mobiledetail)
- Call History Any Number Detail (com.cddhaduk.callerid.block.contact)
- Call History Of Any Number (com.basehistory.historydownloading)
- Call History of Any Numbers (com.call.of.any.number)
- Call History Of Any Number (com.rajni.callhistory)
- Call History Any Number Detail (com.callhistory.calldetails.callerids.callerhistory.callhostoryanynumber.getcall.history.callhistorymanager)
- Call History Any Number Detail (com.callinformative.instantcallhistory.callhistorybluethem.callinfo)
- Call History Any Number detail (com.call.detail.caller.history)
- Call History Any Number Detail (com.anycallinformation.datadetailswho.callinfo.numberfinder)
- Call History Any Number Detail (com.callhistory.callhistoryyourgf)
- Call History Any Number (com.calldetails.smshistory.callhistoryofanynumber)
- Call History Any Number Detail (com.callhistory.anynumber.chapfvor.history)
- Call History of Any Number (com.callhistory.callhistoryany.call)
- Call History Any Number Detail (com.name.factor)
- Call History Of Any Number (com.getanynumberofcallhistory.callhistoryofanynumber.findcalldetailsofanynumber)
- Call History Of Any Number (com.chdev.callhistory)
- Phone Call History Tracker (com.phone.call.history.tracke)
- Call History- Any Number Deta (com.pdf.maker.pdfreader.pdfscanner)
- Call History Of Any Number (com.any.numbers.calls.history)
- Call History Any Number Detail (com.callapp.historyero)
- Call History – Any Number Data (all.callhistory.detail)
- Call History For Any Number (com.easyranktools.callhistoryforanynumber)
- Call History of Numbers (com.sbpinfotech.findlocationofanynumber)
- Call History of Any Number (callhistoryeditor.callhistory.numberdetails.calleridlocator)
- Call History Pro (com.all_historydownload.anynumber.callhistorybackup)
In a particularly alarming twist, at least one of these apps was published under the developer name “Indian gov.in,” a tactic designed to foster a false sense of trust among potential users. The apps prompted users to make payments to access details of a phone number’s call and SMS history. However, once payment was made, users received nothing more than fictitious phone numbers and names embedded within the app’s source code. Evidence suggests that this fraudulent activity may have been ongoing since at least November 2025.
Payment Methods and User Experience
A second cluster of these deceptive applications required users to input their email addresses, promising to send the purported details of any phone number to them. Yet, similar to the first group, no data was generated until a payment was made. Payments could be processed through the Google Play Store’s official billing system or via third-party applications that support Unified Payments Interface (UPI), a popular instant payment system in India. Notably, this list included well-known platforms such as Google Pay, PhonePe, and Paytm. Some apps also employed direct payment card checkout forms, which violate Google’s policy.
In one instance, the apps used a clever ruse to encourage payment. If a user attempted to exit the app without subscribing, a deceptive notification would appear, claiming that a call history for a specific phone number had been successfully sent to their email. Clicking on this notification redirected users to a subscription screen.
The subscription plans varied widely, ranging from approximately to . Users who may have fallen victim to this scam should have their subscriptions canceled following the removal of the apps from the Google Play Store.
What is particularly striking about this operation is that the apps featured a simple user interface and did not request sensitive permissions, further enhancing their deceptive appeal. Additionally, they lacked any real functionality to retrieve call, SMS, or WhatsApp data.
ESET noted, “Users who subscribed via official Google Play billing may be eligible for refunds under Google’s refund policies. However, purchases made through third-party payment apps or direct payment card entry cannot be refunded by Google, leaving users reliant on external payment providers or developers.”
This revelation arrives amid reports from Group-IB, which indicated that malicious actors have swindled an estimated million from Indonesian users through a similar fraud campaign. This operation involved impersonating trusted brands, including the country’s tax platform, CoreTax, and has been linked to a financially motivated threat cluster known as GoldFactory.
Group-IB detailed that the attack chain integrates various tactics, including phishing websites, social engineering via WhatsApp, malicious APK sideloading, and voice phishing (vishing) to achieve full device compromise and unauthorized financial transactions. The infrastructure supporting this fraud campaign is not limited to a single impersonated service; it has been observed abusing over 16 trusted brands, collectively targeting Indonesia’s population of approximately 287 million.
