CallPhantom: 28 Fake Apps on Google Play Scammed 7.3 Million Users — India Was the Primary Target

What if someone told you there's an app on the Google Play Store — not some shady APK from a random Telegram group, the actual Play Store — that can pull up the call history of any phone number you type in? SMS records. WhatsApp call logs. Everything.

Sounds too good to be true. Because it is.

On May 7, 2026, ESET published research exposing 28 fraudulent Android apps collectively downloaded over 7.3 million times on Google Play. The campaign, which ESET named CallPhantom, promised users access to call histories, SMS records, and WhatsApp call logs for any phone number — in exchange for a paid subscription. The catch? Every single piece of data the apps showed was completely fabricated. Random numbers paired with hardcoded names and fake timestamps. Not a single byte of real data.

And the worst part? 53.7% of all detections were in India. These apps came with +91 pre-selected. They accepted UPI payments. This scam was built specifically for the Indian market.

How It Was Discovered

The story starts in November 2025. A user on Reddit's r/IndiaTech subreddit posted about an app called "Call History of Any Number." The developer name listed on Google Play? "Indian gov.in" — deliberately designed to look like a government website, despite having zero association with the Indian government.

That post caught the attention of Lukáš Štefanko, a security researcher at ESET. As an App Defense Alliance partner (working directly with Google to identify malicious apps), Štefanko analyzed the app and uncovered not one, not five, but 28 fraudulent apps all running the same scam with different skins.

ESET reported all 28 apps to Google on December 16, 2025. By the time the research was published in May 2026, every app had been removed. But by then, one single app had already crossed 3 million downloads on its own.

How the Scam Worked

Here's what makes CallPhantom clever — it's incredibly simple. No malware. No exploits. No permission abuse. The apps didn't even request sensitive permissions. They didn't need to. The entire scam is psychological.

You open the app. Type in a phone number. The app pretends to "search" — loading animations, progress bars, the works. Then it shows you partial results: a few names, phone numbers, call durations. It looks real.

But ESET's code analysis revealed the truth: every piece of data was fabricated. Names like "Rahul," "Priya," and "Amit" were hardcoded directly in the source code. The app generated random phone numbers, slapped on fake timestamps and call durations, and presented it as real intelligence. That's the entire "technology" behind these apps.

To see the "full" history, you had to pay. Subscription tiers ranged from weekly to yearly, with prices from $6 to $80.

Two Clusters of Apps

ESET identified two distinct clusters:

Cluster 1 — Instant Fake Results: You type a number, the app immediately shows partial fake data generated from hardcoded templates. You pay to "unlock" the rest — which is just more fake data.

Cluster 2 — The Email Promise: These apps collect your email address, claiming they'll deliver the call history to your inbox. Nothing happens until you pay. And after you pay? Still nothing real.

One app even used a deceptive tactic: if you tried to close the app without paying, it would display a fake notification styled like an email alert — "Your call history report is ready!" — that led straight back to the subscription screen.

The Payment Problem

Three payment methods were used across the 28 apps, and this is where the damage gets real:

1. Google Play Billing: Some apps used Google's official subscription system. This is the "best case" for victims — Google can cancel these and sometimes issue refunds. When the apps were removed, active Play Billing subscriptions were automatically cancelled.

2. Third-party UPI Payments: Some apps redirected users to UPI apps — Google Pay, PhonePe, Paytm. The UPI payment links were either hardcoded or fetched dynamically from a Firebase Realtime Database, meaning the scammers could rotate receiving accounts at any time. Today the money goes to Account A, tomorrow Account B. This makes tracing and takedown significantly harder.

3. Direct Card Checkout: Some apps had credit/debit card forms built directly into the app. Users entering card numbers, CVVs — everything — inside a random Play Store app.

Methods 2 and 3 both violate Google Play's payments policy. More importantly, they make refunds nearly impossible. Google can't reverse a UPI transaction it never processed. Victims who paid through these channels are on their own — they'd need to contact their bank or payment provider directly.

Why India Was the Target

This wasn't a global scam that happened to catch some Indian users. This was engineered from the ground up for India:

• 53.7% of all CallPhantom detections worldwide were in India
• Apps came with the +91 country code pre-selected
• UPI support built in — a payment system used almost exclusively in India
• Hardcoded fake names in the source code were Indian names
• Play Store reviews (both real angry ones and fake positive ones) were largely in Hindi and English

India has the largest Android user base in the world. UPI processes billions of transactions monthly. The combination of a massive Android population, widespread UPI adoption, and natural curiosity about other people's phone activity made India the perfect target market.

The apps also exploited trust in the Play Store itself. People assume that if an app is on Google Play, it's been vetted and is safe. The reality is that apps can and do slip through Google's review process — especially when they don't contain traditional malware or request dangerous permissions.

Technical Infrastructure

For those interested in the backend details:

• The apps used Firebase Cloud Messaging for command-and-control communication
• UPI payment URLs were stored in Firebase Realtime Databases, allowing dynamic account rotation
• ESET mapped the campaign to MITRE ATT&CK technique T1643 (Generate Traffic from Victim) — because the victims initiated the fraudulent billing themselves
• Full indicators of compromise (SHA-1 hashes, package names, Firebase domains, IPs) are available on ESET's GitHub repository

Known App Names and Package Identifiers

Here are the confirmed apps from ESET's research. All have been removed from Google Play, but if you side-loaded any of these or still have them installed from before removal, delete them immediately:

App Name	Package Name	Downloads
Call history : any number deta	calldetaila.ndcallhisto.rytogetan.ynumber	3M+
Call History of Any Number	com.pixelxinnovation.manager	1M+
Call Details of Any Number	com.app.call.detail.history	1M+
Call History Any Number Detail	sc.call.ofany.mobiledetail	500K+
Call History Any Number Detail	com.cddhaduk.callerid.block.contact	500K+
Call History Of Any Number	com.basehistory.historydownloading	500K+
Call History of Any Numbers	com.call.of.any.number	100K+
Call History Of Any Number	com.rajni.callhistory	100K+
Call History Any Number Detail	com.callhistory.calldetails.callerids.callerhistory...	100K+
Call History Any Number Detail	com.callinformative.instantcallhistory...	100K+
Call History Any Number detail	com.call.detail.caller.history	100K+
Call History Any Number Detail	com.anycallinformation.datadetailswho...	100K+
Call History Any Number Detail	com.callhistory.callhistoryyourgf	100K+
Call History Any Number	com.calldetails.smshistory.callhistoryofanynumber	50K+

The full list of all 28 apps with SHA-1 hashes is available in ESET's WeLiveSecurity report and their GitHub IoC repository.

What You Should Do Right Now

Check your installed apps. If you have anything that claims to show call logs or SMS records for other people's numbers, delete it immediately.

Check your subscriptions. Open Google Play Store → tap your profile → Payments & subscriptions → Subscriptions. Look for anything you don't recognize and cancel it.

Check your UPI transaction history. Open Google Pay, PhonePe, or Paytm and look for payments to unfamiliar accounts around the time you might have used one of these apps.

If you paid via UPI or card inside the app: Google cannot help — you'll need to contact your bank or payment provider directly. For significant amounts, file a complaint on India's National Cyber Crime Reporting Portal.

Understand what's technically possible. No app can retrieve the call history of an arbitrary phone number. That data sits on telecom servers and is legally protected. If an app promises this, it's lying. The same applies to apps claiming to show who viewed your WhatsApp profile, who blocked you, or who screenshot your stories — if the platform itself doesn't offer it, no third-party app can either.

The Bigger Picture

28 apps. 7.3 million downloads. Months on the Google Play Store. One developer name designed to impersonate the Indian government. And it all slipped through.

Google's review process, Play Protect, the entire safety infrastructure — it missed all of them. It took an external researcher from ESET, tipped off by a Reddit post, to flag these apps. And even after ESET reported them in December 2025, it took time for them all to come down.

This scam didn't need zero-day exploits. It didn't need remote code execution. It didn't need to bypass Android's permission system. It just needed a convincing promise, a Play Store listing, and a payment screen. That's it. And it worked 7.3 million times.

Share this with your family and friends — especially the people who install apps without thinking twice. The next scam like this is already being built.

---

Sources: ESET WeLiveSecurity · The Hacker News · Help Net Security · ESET GitHub IoC