A fake call history app Google Play scam just pulled in 7 million downloads before anyone caught on. Cybersecurity firm ESET uncovered 28 Android apps — dubbed CallPhantom — that promised users access to anyone’s call records, SMS history, and even WhatsApp logs for a fee. Let’s find out how the scam worked and what you should watch out for.
How the CallPhantom Scam Actually Worked
The pitch was simple: type in a phone number, and the app would reveal every call that number made or received. Apps with names like “Call History of Any Number” made it sound almost official. One was even published under the developer name “Indian gov.in” — though it had zero connection to any government body.
Once you entered a number, the app locked the results behind a paywall. Subscriptions ranged from around $5 a month up to $80. After paying, users got their call history — except none of it was real. ESET researcher Lukáš Štefanko confirmed that the data was entirely fabricated, generated from hardcoded lists of names, numbers, timestamps, and call durations baked right into the app’s code.
The apps didn’t even ask for sensitive device permissions — because they didn’t need to. There was never any mechanism to pull real call data in the first place.
The UPI Payment Fraud Trap That Made Refunds Messy
Here’s where things got especially tricky for victims of this Indian Android scam. Most apps gave users three ways to pay:
- Google Play’s official billing system — subscriptions here were canceled once the apps were removed.
- Third-party UPI apps — payment links were sometimes fetched live from a Firebase database, so scammers could swap accounts anytime.
- In-app card payment forms — entered directly inside the app.
The last two methods violated Google Play’s own payments policy. And critically, payments made through UPI apps or direct card entry fall completely outside Google’s refund system. Those users have to chase the payment provider or the developer themselves — easier said than done when the developer is a scam operation.
Some apps also sent fake email-style notifications claiming results were ready, only to redirect users straight to a subscription screen when tapped.
Who Got Hit by the 7 Million Downloads Scam
ESET’s investigation, published on May 7, 2026, found 28 separate apps in the CallPhantom 28 apps cluster. One app alone accounted for over 3 million of the 7.3 million total downloads. The campaign mostly targeted Android users in India and the broader Asia-Pacific region — many apps came with India’s +91 country code pre-filled and supported UPI payments.
More than 53% of all CallPhantom detections worldwide came from India. Negative reviews piled up in the Play Store, with victims openly saying they paid and got nothing. But a handful of glowing (and likely fake) reviews helped the apps look credible long enough to keep growing.
ESET first spotted the activity through a Reddit post in November 2025 and reported the full list to Google on December 16, 2025. All 28 apps have since been taken down.
What This Says About Google Play Malware in 2026
We know that app store reviews aren’t foolproof. The ESET CallPhantom case is a textbook example of how a scam doesn’t need fancy hacking to cause real harm at scale. These apps had clean interfaces, no suspicious permissions, and believable names. That’s all it took to hit 7.3 million downloads.
It also fits a wider trend of mobile fraud targeting emerging markets and broader data-related breaches. In this month, we covered how hackers stole students’ data during a breach at education tech giant Instructure Canvas — a reminder that user data exposure can occur very easily, particularly on large-scale platforms. Sometimes it’s just a well-packaged lie.
The MITRE ATT&CK mapping ESET published also showed the apps used Firebase Cloud Messaging to talk to their operators, letting them push updated payment URLs remotely without ever updating the app itself. That kind of flexibility is what helped them stay ahead of easy detection.
How You Can Protect Yourself From Fake Android Apps Subscription Scams
A few things worth keeping in mind when downloading apps that promise access to private or sensitive data:
- If it sounds too invasive to be legal, it probably is. No app can legally retrieve another person’s call history without carrier-level access. Full stop.
- Check permissions before paying. CallPhantom apps requested no sensitive permissions — a red flag that they couldn’t deliver what they promised.
- Stick to Google Play billing when you can. It’s not perfect, but it gives you a cleaner path to a refund if something goes wrong.
- Read the bad reviews first. Victims left clear warnings across these listings. We tend to skim reviews — don’t.
If you think you downloaded one of these apps, check your subscriptions under your Google Play profile (Payments and subscriptions) and contact your payment provider directly if you paid through UPI or an in-app card form.
The post Google Play’s Fake Call History Apps Hit Payments From 7M Users appeared first on Memeburn.
