Fraudulent "CallPhantom" Apps on Google Play Scammed Millions with Fake Call History Data
A sophisticated fraud campaign involving 28 malicious Android apps collectively dubbed CallPhantom deceived over 7.3 million users before being removed from Google Play in December 2025. Discovered by researchers at WeLiveSecurity, the apps lured victims with the false promise of revealing call histories for any phone number, only to deliver fabricated data and extract payments through deceptive subscription models.
The scam exploited users' curiosity by displaying partial, hardcoded call logs complete with fake names, timestamps, and phone numbers to create the illusion of functionality. Victims were then prompted to pay for full access, with subscription fees ranging from weekly to yearly plans costing up to $80. Two primary variants were identified: one that generated pre-loaded fake data directly in the app, and another that falsely claimed to email results after payment, delivering nothing in return.
Targeting primarily Android users in India and the Asia-Pacific region, the apps were optimized for local payment methods, including UPI (Unified Payments Interface) and direct card transactions. Some even embedded payment forms within the app, violating Google Play’s policies and complicating refunds. Operators further evaded detection by dynamically fetching payment details from Firebase real-time databases, allowing them to switch receiving accounts at will.
While Google canceled subscriptions tied to its official billing system, users who paid via third-party UPI apps or in-app card forms had no recourse through Google. The apps also employed deceptive tactics, such as fake email notifications leading to subscription screens, to pressure users into paying.
All 28 apps lacked any real capability to access call logs, SMS records, or messaging data. Their removal followed ESET’s disclosure, though indicators of compromise including SHA-1 hashes, Firebase-hosted command-and-control domains, and associated IP addresses remain documented for threat intelligence purposes.
Source: https://cybersecuritynews.com/28-fake-call-history-apps-on-google-play-with-7-3m-downloads/
Google Play cybersecurity rating report: https://www.rankiteo.com/company/google-play
"id": "GOO1778157015",
"linkid": "google-play",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': '7.3 million',
'industry': 'General public',
'location': ['India', 'Asia-Pacific region'],
'name': 'Google Play Store users',
'size': '7.3 million users',
'type': 'Individuals'}],
'attack_vector': 'Malicious mobile apps (Google Play Store)',
'date_publicly_disclosed': '2025-12',
'date_resolved': '2025-12',
'description': 'A sophisticated fraud campaign involving 28 malicious Android '
'apps collectively dubbed *CallPhantom* deceived over 7.3 '
'million users before being removed from Google Play in '
'December 2025. The apps lured victims with the false promise '
'of revealing call histories for any phone number, only to '
'deliver fabricated data and extract payments through '
"deceptive subscription models. The scam exploited users' "
'curiosity by displaying partial, hardcoded call logs complete '
'with fake names, timestamps, and phone numbers to create the '
'illusion of functionality. Victims were then prompted to pay '
'for full access, with subscription fees ranging from weekly '
'to yearly plans costing up to $80.',
'impact': {'brand_reputation_impact': 'Google Play Store reputation (hosting '
'malicious apps)',
'data_compromised': 'None (fabricated data only)',
'financial_loss': 'Up to $80 per victim (subscription fees)',
'payment_information_risk': 'Users paid via UPI/card transactions '
'(potential exposure)',
'systems_affected': 'Android devices of 7.3 million users'},
'investigation_status': 'Closed (apps removed)',
'lessons_learned': 'Deceptive apps can evade detection by dynamically '
'fetching payment details and using third-party payment '
'methods to bypass platform protections. Users should be '
'cautious of apps promising unrealistic functionalities.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': ['Removal of malicious apps',
'Cancellation of '
'subscriptions tied to '
"Google's billing system",
'Documentation of IOCs '
'(SHA-1 hashes, Firebase '
'domains, IP addresses) for '
'threat intelligence'],
'root_causes': ['Inadequate vetting of apps on '
'Google Play Store',
'Deceptive app design (fake data, '
'dynamic payment systems)',
'Exploitation of user curiosity '
'and lack of awareness']},
'recommendations': ['Enhance Google Play Store vetting processes for apps '
'offering sensitive services (e.g., call history access).',
'Improve detection of apps using dynamic payment systems '
'to evade platform policies.',
'Educate users on recognizing deceptive subscription '
'models and verifying app legitimacy.',
'Provide clearer refund mechanisms for payments made via '
'third-party methods (e.g., UPI).'],
'references': [{'source': 'WeLiveSecurity (ESET)'}],
'regulatory_compliance': {'regulations_violated': 'Google Play policies '
'(embedded payment forms, '
'deceptive practices)'},
'response': {'containment_measures': 'Google removed the 28 malicious apps '
'from Google Play',
'remediation_measures': 'Google canceled subscriptions tied to '
'its official billing system',
'third_party_assistance': 'ESET (WeLiveSecurity) researchers'},
'title': "Fraudulent 'CallPhantom' Apps on Google Play Scammed Millions with "
'Fake Call History Data',
'type': 'Fraud'}