Fake “Call History” Android Apps Hit 7.3 Million Downloads on Google Play

Cybersecurity researchers have uncovered a large-scale Android scam campaign involving fraudulent apps on the official Google Play Store that falsely promised access to private call logs, SMS records, and even WhatsApp call histories for any phone number.

The campaign, dubbed CallPhantom by ESET, targeted Android users primarily in India and across the Asia-Pacific region. Before removal, the 28 malicious apps collectively amassed more than 7.3 million downloads, with one app alone surpassing 3 million installs.

Fake Features Used to Trick Victims

According to ESET researcher Lukáš Štefanko, the apps claimed to provide users with sensitive phone activity data for arbitrary phone numbers.

“The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number.”

To unlock the supposed functionality, victims were asked to purchase subscriptions or make one-time payments. However, instead of real information, users only received randomly generated fake data hardcoded directly into the applications.

One of the apps was even published under the deceptive developer name “Indian gov.in” in an attempt to appear legitimate and gain user trust.

Fraudulent Payment Methods

Researchers found the apps used multiple monetization techniques, including:

  • Google Play subscriptions
  • UPI-based payments
  • Direct payment card forms inside the apps

Some apps leveraged widely used Indian payment services such as:

  • Google Pay
  • PhonePe
  • Paytm

The use of external payment methods violated Google Play Store policies.

In one particularly deceptive technique, users who attempted to exit an app without paying received fake notifications claiming the requested call history had already been emailed to them. Clicking the notification redirected them back to the payment screen.

Subscription fees ranged from approximately $6 to $80.

No Real Functionality, No Permissions

What makes the operation especially notable is that the apps required minimal permissions and contained no actual functionality capable of retrieving call logs, SMS records, or WhatsApp data.

Instead, the scam relied entirely on:

  • Social engineering
  • Fake interfaces
  • Fabricated results
  • Psychological pressure to complete payments

Users who subscribed through Google Play Billing may still qualify for refunds under Google’s refund policies, although victims who paid through third-party payment systems may face greater difficulty recovering funds.

Full List of Identified Apps

  • Call history : any number deta
  • Call History of Any Number
  • Call Details of Any Number
  • Call History Any Number Detail
  • Call History Of Any Number
  • Call History of Any Numbers
  • Phone Call History Tracker
  • Call History Pro
  • And multiple similarly named variants

The apps heavily reused keywords such as “call history,” “any number,” and “SMS tracker” to manipulate search rankings and attract downloads.

Group-IB Links Separate Android Malware Campaign

In a related development, Group-IB revealed a separate fraud operation targeting Indonesian users through phishing pages impersonating the country’s tax platform CoreTax and other trusted brands.

The financially motivated threat cluster, tracked as GoldFactory, allegedly stole nearly $2 million from victims since July 2025.

The attack chain combined:

  • Phishing websites
  • WhatsApp-based social engineering
  • Malicious APK sideloading
  • Voice phishing (vishing)

The campaign distributed Android malware families including:

  • Gigabud RAT
  • MMRat
  • Taotie

These malware strains were capable of:

  • Stealing sensitive information
  • Taking over accounts
  • Downloading additional payloads
  • Conducting financial theft

Group-IB stated the infrastructure abused more than 16 trusted brands, targeting Indonesia’s population of roughly 287 million people.

Security Recommendations

Users are advised to:

  • Avoid apps promising access to private call or SMS histories
  • Verify developer legitimacy before installation
  • Use only trusted apps with transparent privacy practices
  • Avoid sideloading APK files received through messaging platforms
  • Review active subscriptions and remove suspicious apps immediately