CallPhantom: 28 Fake Apps on Google Play With 7.3 Million Downloads

ESET researchers discovered in November 2025 a campaign they named CallPhantom: 28 fraudulent applications on Google Play that promised access to call history, SMS, and WhatsApp messages from any phone number. The most striking detail is not that they were fake — it’s that they accumulated over 7.3 million downloads before being removed.

The impossible promise millions agreed to pay for

The mechanics were simple and effective: the apps claimed they could retrieve the communications history of any number, even without access to the device — something technically impossible by design of the Android operating system and telecommunications infrastructure in general.

However, the proposition appealed to a real — or perceived — need in many users: verifying whether a family member is lying, monitoring an employee, or satisfying simple curiosity. That motivation was enough to generate millions of downloads and real payments for a service that never existed.

The initial discovery came from a Reddit thread where users reported the app “Call History of Any Number,” published under the developer “Indian gov.in” — a name designed to suggest institutional legitimacy.

How the scam worked

The applications were divided into two technical variants:

• First cluster: generated completely fake data — names, numbers, and timestamps hardcoded directly into the app code, combined randomly. The “results” were only shown after payment.
• Second cluster: requested an email address where the recovered history would supposedly be sent. Nothing ever arrived — but the payment had already been processed.

The screenshots on Google Play showed this fake data as a demonstration of functionality, creating the illusion of a service that actually delivered results.

Three payment methods, different risk levels

The campaign used three payment mechanisms with different implications for victims:

Method	Mechanism	Refund possibility
Official Google Play subscription	Integrated Play Store billing	Yes, under Google policy
Third-party UPI apps	Payment URLs hardcoded or dynamic via Firebase	No — depends on external provider
Direct card form	Card data entered in the app	No — additional data theft risk

Apps using methods 2 and 3 deliberately bypassed Google’s official billing system — which eliminated any consumer protection and complicated refunds.

Additional manipulation tactics

Some applications showed deceptive push notifications when the user closed the app without paying, simulating that results had already arrived by email. The message redirected to the subscription screen, creating artificial pressure to complete the payment.

The apps also accumulated fake positive reviews to counter the real complaints users left. When looking only at the overall rating without reading comments, the app appeared trustworthy.

Scope and current status

The campaign was primarily directed at users in India and Asia-Pacific — +91 country codes came preselected and UPI payment systems are India-specific. However, the methodology is exportable to any market.

After ESET’s notification, Google removed all 28 applications from the Play Store and cancelled active subscriptions. Detections are classified as Android/CallPhantom[A-Z].

If you installed any of these apps: check your active subscriptions in Play Store → Profile → Payments and subscriptions. If payment was made outside Google Play, contact your bank or card provider directly to report the charge as fraudulent.