Cybersecurity researchers have discovered a fraudulent app on the official Google Play Store for Android that pretends to provide access to the call history of any phone number, only to trick users into providing fake data and signing up for a subscription that incurs financial loss.
The 28 apps had a total of more than 7.3 million downloads, and just one of them had more than 3 million downloads before being removed from official app stores. Developed by Slovak cybersecurity firm ESET and codenamed CallPhantom, the operation primarily targeted Android users in India and the wider Asia-Pacific region.
“The app in question, named CallPhantom based on false claims, purports to provide access to call history, SMS records, and even WhatsApp call records for any phone number,” ESET security researcher Lukasz Stefanko said in a report shared with The Hacker News. “To unlock this supposed functionality, users will be asked to pay a fee, but all they will get in return is randomly generated data.”
The list of identified apps is below –
Call History: Any Number Data (calldetaila.ndcallhisto.rytogetan.ynumber) Any Number Call History (com.pixelxinnovation.manager) Any Number Call Details (com.app.call.detail.history) Any Number Call History (sc.call.ofany.mobiledetail) Any Number Call History (com.cddhaduk.callerid.block.contact) Call history of any number (com.basehistory.historydownloading) Call history of any number (com.call.of.any.number) Call history of any number (com.rajni.callhistory) Call history details of any number (com.callhistory.calldetails.callerids.callerhistory.callhostoryanynumber.getcall.history.callhistorymanager) Any Number Call History Details (com.callinformative.instantcallhistory.callhistorybluethem.callinfo) Call History Any Number Details (com.call.detail.caller.history) Call History Any Number Details (com.anycallinformation.datadetailswho.callinfo.numberfinder) Call History Any Number Details (com.callhistory.callhistoryyourgf) Call History Any Number (com.calldetails.smshistory.callhistoryofanynumber) Call History Any Number Details (com.callhistory.anynumber.chapfvor.history) Any Number Call History (com.callhistory.callhistoryany.call) Any Number Call History Details (com.name.factor) Any Number Call History (com.getanynumberofcallhistory.callhistoryofanynumber.findcalldetailsofanynumber) Any Number Call History (com.chdev.callhistory) Call History Tracker (com.phone.call.history.tracke) Call History – Any Number Data (com.pdf.maker.pdfreader.pdfscanner) Any Number Call History (com.any.numbers.calls.history) Call History Any Number Details (com.callapp.historyero) Call History – Any Number Data (all.callhistory.detail) Call history for any number (com.easyranktools.callhistoryforanynumber) Call history for any number (com.sbpinfotech.findlocationofanynumber) Call history for any number (callhistoryeditor.callhistory.numberdetails.calleridlocator) Call history pro (com.all_historydownload.anynumber.callhistorybackup)
At least one of the reported apps was published under the developer name ‘Indian gov.in’ with the aim of building a false sense of trust and tricking unsuspecting users into downloading it.
However, this scheme hides a nefarious motive of asking the victim to pay to view the call and SMS history details of the number. Once the payment is completed, the user is provided with a completely fabricated phone number and name embedded directly in the source code. Evidence suggests this activity may have been active since at least November 2025.
A second cluster of these apps was found asking users to enter an email address where phone number details would be sent. As in the previous case, no data is generated until payment is made.
Payments depend on subscriptions through the Google Play Store’s official billing system or through third-party apps that support Unified Payments Interface (UPI), a widely used instant payment system in India. Ironically, this list includes Google Pay, Walmart-backed PhonePe, and Paytm. The third method uses a payment card checkout form directly within the app. The last two approaches violate Google’s policies.
In at least one case, the app implemented additional tricks to prompt users to pay. If you exit the app without making payment, you will receive a deceptive notification claiming that the call history of a particular phone number has been successfully sent to your email address. Clicking on the notification takes the user directly to the subscription screen.
Subscription plans vary by app and range from approximately $6 to $80. Users who may have fallen prey to the scam had to cancel their subscriptions after the app was removed from the Google Play Store.
What makes this activity notable is that the app has a simple user interface and does not request sensitive permissions. What’s more, it doesn’t even include the ability to retrieve calls, SMS, and WhatsApp data.
“Users who purchased a subscription through Google Play’s official billing may be eligible for a refund based on Google’s refund policy,” ESET said. “Purchases made through third-party payment apps or direct payment card entry will not be reimbursed by Google and will leave you reliant on an external payment provider or developer.”
The disclosure comes as Group IB said bad actors stole an estimated $2 million from users in Indonesia as part of a fraud campaign posing as the country’s tax platform CoreTax and other trusted brands. This campaign, which began in July 2025, is associated with a financially motivated threat cluster called GoldFactory.
“The attack chain integrates phishing websites, social engineering (WhatsApp), malicious APK sideloading, and voice phishing (vishing) to compromise the entire device and perform unauthorized transfers,” Group-IB said.
Broadly speaking, these attacks involve using social engineering to distribute fake apps via WhatsApp, which, once installed, deploy Android malware such as Gigabud RAT, MMRat, and Taotie that can collect sensitive data or download additional components. Stolen information can be used for account takeover attacks and financial theft.
“The malware infrastructure supporting this fraud campaign is not limited to a single impersonation service; the same infrastructure has been observed actively exploiting more than 16 trusted brands, collectively targeting a broad population of Indonesia, approximately 287 million people,” Group-IB said.
Source link
