Emerging ThreatsMalware & Ransomware

Fraudulent Call History Apps Drain Millions via 7.3M Play Store Downloads

Analyst 207||Source: TheHackerNews
Smartphone with blurred Google Play Store page on screen, surrounded by receipts on a neutral surface in a bright, everyday…

“The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number,” ESET researcher Lukáš Štefanko wrote, adding that “to unlock this supposed feature, users are asked to pay -- but all they get in return is randomly generated data.”

ESET’s CallPhantom discovery and scale

Slovakian cybersecurity company ESET identified a cluster of 28 fraudulent Android apps on the official Google Play Store that collectively recorded more than 7.3 million downloads before Google removed them. One app alone accounted for over 3 million installs. ESET assigned the activity the codename CallPhantom and said it primarily targeted Android users in India and the broader Asia‑Pacific region. Evidence in ESET’s report indicates the campaign may have been active since at least November 2025.

How the apps deceived users

The apps presented a straightforward promise: give users access to another phone number’s call history, SMS records, and even WhatsApp call logs. In practice, the apps contained no functionality to retrieve such data. Instead, users were asked to pay for access and—after payment—were served completely fabricated phone numbers and contact names embedded directly in the apps’ source code.

Several deceptive techniques were reported. At least one app was published under the developer name “Indian gov.in” to create a false sense of trust. A second group of apps solicited an email address and promised to deliver the requested call details by email only after a payment was made. In at least one instance, the app displayed a phony notification saying a call history had been sent to the user’s email when the user tried to exit; tapping the notification routed the user to a subscription purchase screen.

ESET noted the apps featured a simple user interface and did not request sensitive Android permissions—behaviors that can reduce suspicion—yet they offered no legitimate mechanism to access call, SMS, or WhatsApp records.

The Play Store package list (as identified by ESET)

  • Call history : any number deta (calldetaila.ndcallhisto.rytogetan.ynumber)
  • Call History of Any Number (com.pixelxinnovation.manager)
  • Call Details of Any Number (com.app.call.detail.history)
  • Call History Any Number Detail (sc.call.ofany.mobiledetail)
  • Call History Any Number Detail (com.cddhaduk.callerid.block.contact)
  • Call History Of Any Number (com.basehistory.historydownloading)
  • Call History of Any Numbers (com.call.of.any.number)
  • Call History Of Any Number (com.rajni.callhistory)
  • Call History Any Number Detail (com.callhistory.calldetails.callerids.callerhistory.callhostoryanynumber.getcall.history.callhistorymanager)
  • Call History Any Number Detail (com.callinformative.instantcallhistory.callhistorybluethem.callinfo)
  • Call History Any Number detail (com.call.detail.caller.history)
  • Call History Any Number Detail (com.anycallinformation.datadetailswho.callinfo.numberfinder)
  • Call History Any Number Detail (com.callhistory.callhistoryyourgf)
  • Call History Any Number (com.calldetails.smshistory.callhistoryofanynumber)
  • Call History Any Number Detail (com.callhistory.anynumber.chapfvor.history)
  • Call History of Any Number (com.callhistory.callhistoryany.call)
  • Call History Any Number Detail (com.name.factor)
  • Call History Of Any Number (com.getanynumberofcallhistory.callhistoryofanynumber.findcalldetailsofanynumber)
  • Call History Of Any Number (com.chdev.callhistory)
  • Phone Call History Tracker (com.phone.call.history.tracke)
  • Call History- Any Number Deta (com.pdf.maker.pdfreader.pdfscanner)
  • Call History Of Any Number (com.any.numbers.calls.history)
  • Call History Any Number Detail (com.callapp.historyero)
  • Call History - Any Number Data (all.callhistory.detail)
  • Call History For Any Number (com.easyranktools.callhistoryforanynumber)
  • Call History of Numbers (com.sbpinfotech.findlocationofanynumber)
  • Call History of Any Number (callhistoryeditor.callhistory.numberdetails.calleridlocator)
  • Call History Pro (com.all_historydownload.anynumber.callhistorybackup)

Payment channels, pricing, and refunds

To extract payment, the apps used multiple mechanisms. Some relied on official Google Play Store subscriptions and Google Play billing. Others directed users to third‑party Unified Payments Interface (UPI) apps—specifically naming Google Pay, PhonePe, and Paytm—or presented in‑app payment card checkout forms. ESET emphasized that the latter two approaches violate Google policy.

Subscription prices reported across the apps ranged from roughly $6 up to $80. According to ESET, users who subscribed via official Google Play billing may be eligible for refunds under Google’s refund policies. Purchases made via third‑party payment apps or through direct card entry cannot be refunded by Google, leaving victims to pursue refunds through external payment providers or the app developers.

Related fraud patterns flagged by Group‑IB

The disclosure from ESET comes alongside a separate warning from Group‑IB about a fraud campaign that targeted Indonesian users and stole an estimated $2 million. Group‑IB says that campaign began in July 2025 and has been linked to a financially motivated threat cluster it calls GoldFactory. That attack chain, Group‑IB reported, used phishing websites, WhatsApp social engineering, malicious APK sideloading, voice phishing, and Android malware families including Gigabud RAT, MMRat, and Taotie—enabling account takeover and unauthorized transfers. Group‑IB also noted the infrastructure abused more than 16 trusted brands in its lures and targeted a large population in Indonesia.

The CallPhantom cluster illustrates a persistent, low‑complexity fraud model: simple apps, plausible consumer promises, and a payment funnel that converts curiosity into loss. ESET’s findings underline that removal from the Play Store stops distribution but does not automatically restore money to victims—especially those who paid outside Google Play’s billing system. For affected users, that distinction will be decisive in whether a refund is available; for investigators and payment providers, the ongoing work is to trace transactions and hold third‑party payment endpoints to account.

Original story

AndroidAsiaEmerging ThreatsIndiaMobile SecurityEsetFraudulent AppsGoogle Play StoreCallphantom
Related Intelligence

Continue Reading

Windows computer setup on office desk with laptop and keyboard in focus, near a whiteboard with network diagram.

Ransomware gangs exploit Windows BlueHammer flaw

Ransomware gangs are actively exploiting a critical Microsoft Defender flaw, nicknamed BlueHammer, which has been added to CISA's list of Known Exploited Vulnerabilities. This vulnerability is a prime target for malicious cyber actors, posing a significant risk to those who haven't yet applied the necessary patches.

Analyst 207
Small business office with computer workstation, papers, and city street view through window.

Ransomware Strikes 323 UK Firms in a Year

Stay ahead of ransomware threats with proactive protection - keep your data safe with regular backups, strong access controls, and up-to-date systems. Every month, over 26 UK firms fall victim to these crippling attacks, with small and mid-sized businesses being hit the hardest.

Analyst 207
Payment terminal in a brightly-lit retail setting with neutral background.

Oracle E-Business Suite Flaw CVE-2026-46817 Sees Active Exploitation

A critical flaw in Oracle Payments, known as CVE-2026-46817, is being actively exploited by hackers, allowing them to easily take control of vulnerable Oracle E-Business Suite instances. This easily exploitable vulnerability has a near-perfect CVSS score of 9.8, making it a high-risk threat to organizations using Oracle Payments.

Analyst 207
Bank interior with teller counters, computers, and papers, hint of digital infrastructure in background.

India's .bank.in Domain Registry Exposes Sensitive Bank Employee Data

A major security slip-up by the registrar for India's .bank.in domain has left 5,576 bank employees' sensitive credentials and contact details exposed, putting their security at risk. This breach undermines the very purpose of the .bank.in namespace - to protect Indian banking web identities from phishers and fraudsters.

Analyst 207