28 Fake 'Call History' Apps Scammed 7.3 Million Android Users

Twenty-eight fraudulent Android apps promising access to anyone's call history accumulated over 7.3 million downloads on Google Play before being removed. The apps delivered nothing but hardcoded fake data after collecting subscription payments from victims.

ESET security researcher Lukáš Štefanko disclosed the campaign, dubbed CallPhantom, which primarily targeted users in India and the broader Asia-Pacific region. The scam has been active since at least November 2025.

The Promise Versus Reality

The apps advertised an impossible capability: retrieving call histories, SMS records, and WhatsApp logs for any phone number. Names like "Call History of Any Number," "Call Details of Any Number," and "Phone Call History Tracker" made the pitch explicit.

After installation, users were prompted to enter a target phone number and pay for access. Subscription costs ranged from approximately $6 to $80 depending on the app variant. Once payment cleared, the apps displayed randomly generated names and phone numbers—data pulled directly from strings embedded in the source code, not from any actual phone records.

The technical reality is straightforward: no third-party app can access another person's call logs without carrier-level access or malware on the target device. These apps requested no sensitive permissions because they had no actual functionality beyond displaying prepopulated garbage data.

Payment Laundering

The operators used three payment collection methods:

1. Google Play's official billing system - Allowed some victims to request refunds through Google
2. Third-party UPI apps - Including Google Pay, PhonePe, and Paytm, popular in India
3. Direct card checkout - Payment forms embedded within the apps, violating Google's policies

The latter two methods complicate refunds significantly. Victims who paid through UPI or direct card entry cannot receive refunds through Google and must dispute charges with their payment providers directly.

Detection Challenges

The apps evaded detection partly because they didn't exhibit typical malware behaviors. They requested minimal permissions, contained no data exfiltration code, and didn't communicate with suspicious command-and-control infrastructure. From an automated scanning perspective, they appeared to be poorly-coded but benign applications.

This represents a category Google's Play Protect struggles with: apps that are fundamentally fraudulent in purpose but technically unremarkable. The scam exists entirely in the gap between what the app claims to do and what it actually does—a distinction that requires semantic understanding rather than behavioral analysis.

Similar Patterns in Mobile Fraud

CallPhantom follows a well-established playbook. We've previously covered similar subscription scams where the goal isn't installing malware but simply extracting payment for nonexistent services. The mobile app stores' scale makes this economically viable: even a small conversion rate across millions of downloads generates substantial revenue.

The targeting of India reflects the massive Android user base there and the prevalence of UPI payment infrastructure that's harder to reverse than card transactions. Similar campaigns have targeted markets where alternative payment methods dominate over credit cards.

Protecting Yourself

The warning signs were present for anyone looking:

• Impossible claims - No legitimate app can access another person's private phone records
• Payment before functionality - Requiring subscription before demonstrating any capability
• Review patterns - A mix of obviously fake positive reviews and frustrated complaints from scammed users

For those concerned about mobile security, the core principle remains: if an app promises capabilities that would require breaking fundamental platform security boundaries, it's either malware or fraud. In CallPhantom's case, it was simply fraud—which from the victim's perspective means lost money rather than compromised data.

Google has removed all 28 identified apps and canceled subscriptions made through Play billing. The company's policies now face renewed scrutiny over how obvious scams accumulate millions of downloads before removal.