CallPhantom Android scam reached 7.3 million downloads on Google Play

Scams targeting Android users in India and across the Asia-Pacific region have grown around a long-standing curiosity gap: the desire to look up call records tied to a phone number. A cluster of 28 fraudulent apps on Google Play exploited that gap and pulled in more than 7.3 million downloads before the store removed them.

ESET researchers, who tracked the campaign and named it CallPhantom, reported the apps to Google on December 16, 2025, and all of them have since been taken down.

Fabricated data sold as real records

The apps advertised access to call histories, SMS records, and WhatsApp call logs for any phone number supplied by the user. Once a victim paid, the apps delivered randomly generated data drawn from hardcoded lists of names, country codes, timestamps, and call durations. None of the apps contained any code capable of retrieving real communications data, and they did not request the sensitive permissions such functionality would require.

ESET first identified the activity in November 2025 after a Reddit post flagged an app called Call History of Any Number, published under the developer name “Indian gov.in.” The app had no connection to the Indian government. Further analysis surfaced 27 additional apps using the same scheme.

Two operating models

Apps in the first cluster generated partial fake results immediately, then asked for payment to reveal the rest. The second cluster collected an email address and promised to deliver the call history after subscription. In one case, the app pushed users who closed it without paying through fake email-style notifications claiming the report was ready. Tapping the alert opened a subscription screen.

Many of the apps preselected the +91 country code and supported UPI, the payment system used widely in India. Negative reviews on the Play Store described the same pattern of users paying and receiving randomized data with no recourse.

Various payment options used by CallPhantom apps (Source: ESET)

Payment routes that bypass Google

Three payment methods appeared across the apps. Some used Google Play’s official billing system, which requires apps offering in-app purchases to route through it and which carries Google’s refund coverage. Others routed payments through third-party UPI apps using hardcoded URLs or URLs fetched dynamically from a Firebase realtime database, allowing the operators to swap payout accounts at any time. A third group embedded payment card checkout forms directly in the app interface. The latter two methods violate Google Play’s payments policy.

Subscription pricing varied across the apps. The lowest tier averaged €5, and the highest fee observed was $80, with weekly, monthly, and yearly packages on offer.

Refund prospects

Subscriptions purchased through Google Play billing for the 28 apps were canceled when the apps were removed from the store. Refund eligibility depends on Google’s standard refund window and policies, accessible through the Play Store profile menu under Payments and subscriptions. Purchases made through third-party UPI apps or via card details entered inside a CallPhantom app fall outside Google’s reach. Affected users have to pursue the payment provider or the app developer directly.

ESET, which acts as an App Defense Alliance partner, classifies the apps under the Android/CallPhantom detection family. The campaign also relied on Firebase Cloud Messaging for command-and-control communication, according to the MITRE ATT&CK mapping ESET published alongside the indicators of compromise.

Download: Secure Foundations for AI Workloads on AWS