How CallPhantom methods Android customers

There’s an app for every part these days… proper? Properly, trying up name information for a telephone variety of selection is not a kind of issues, as probably thousands and thousands of Android customers discovered after paying for app subscriptions promising simply that.

The offending apps, which we named CallPhantom based mostly on their false claims, purport to offer entry to name histories, SMS information, and even WhatsApp name logs for any telephone quantity. To unlock this supposed function, customers are requested to pay – however all they get in return is randomly generated knowledge.

Our investigation recognized 28 such fraudulent apps out there on the Google Play retailer, cumulatively downloaded greater than 7.3 million instances. As an App Protection Alliance companion, we reported our findings to Google, which eliminated all the apps recognized on this report from Google Play.

Key factors of this blogpost:

• A brand new Android rip-off, CallPhantom, falsely claims to offer entry to name logs, SMS information, and WhatsApp name historical past for any telephone quantity in trade for cost.
• We recognized and reported 28 CallPhantom apps on Google Play, cumulatively downloaded greater than 7.3 million instances.
• Some CallPhantom apps sidestep Google Play’s official billing system, complicating victims’ refund efforts.

Investigation

In November 2025, we got here throughout a Reddit put up discussing an app named Name Historical past of Any Quantity, discovered on Google Play. The app, proven in Determine 1, claims that it might retrieve the decision historical past of any telephone quantity equipped by the person. It was printed underneath the developer identify Indian gov.in, however the app has no actual affiliation with the Indian authorities.

Unsurprisingly, our evaluation confirmed that the “name historical past” knowledge supplied by this app is fully fabricated – the app generates random telephone numbers and matches them with mounted names, name instances, and name durations, which had been embedded straight within the code, as proven in Determine 2. This faux knowledge is then introduced to victims – however solely after cost.

A screenshot of the fabricated name historical past knowledge was even included within the app’s itemizing, introduced as an illustration of the app’s performance, as proven in Determine 3.

Additional analysis revealed extra, associated apps out there on the Play Retailer – 28 CallPhantom apps altogether. We reported the total set of fraudulent apps to Google on December 16^th, 2025. On the time of publication, all of the reported apps have been faraway from the shop.

Regardless of visible variations, which may be seen in Determine 4 and Determine 5, the aim of the apps is similar: generate faux communication knowledge and cost victims for entry. The desk within the Analyzed CallPhantom apps part lists every app together with its key particulars, together with the obtain rely.

Marketing campaign overview

The CallPhantom apps we discovered on Google Play primarily focused Android customers in India and the broader Asia‑Pacific area. Lots of the apps got here with India’s +91 nation code preselected and help UPI, a cost system used primarily in India.

The apps had garnered quite a few destructive evaluations, with victims reporting that they had been scammed and by no means obtained the promised knowledge, as may be seen in Determine 6.

It isn’t clear how the apps had been distributed or promoted. Presumably, by seemingly providing perception into non-public data, the scammers efficiently took benefit of individuals’s curiosity. Mixed with a number of glowing (faux) evaluations, it may need appeared like an intriguing provide.

CallPhantom overview

In our investigation, we recognized two important clusters of those fraudulent apps.

The apps within the first cluster include hardcoded names, nation codes, and templates of their code, as proven in Determine 7. These are mixed with randomly generated telephone numbers and proven to the person as partial “outcomes”. To view the total (faux) historical past, the sufferer has to pay.

The apps within the second cluster ask customers to enter an electronic mail deal with the place the “retrieved” name historical past would supposedly be delivered, as seen within the screenshots in Determine 8. No knowledge technology happens till after cost; customers should pay or subscribe earlier than any electronic mail would supposedly be despatched.

Basically, CallPhantom apps have a easy person interface and don’t request any intrusive or delicate permissions – they don’t must. Coincidentally, they don’t include any performance able to retrieving actual name, SMS, or WhatsApp knowledge.

Within the CallPhantom apps we analyzed, we noticed three totally different cost strategies used, the latter two of that are in violation of Google Play’s funds coverage.

First, a few of the apps relied on subscriptions through Google Play’s official billing system. That is required of apps providing in-app purchases, per Google Play’s funds coverage; such purchases are coated by Google’s refund safety.

Second, a few of the apps relied on funds through third-party apps that help UPI. For these third-party cost apps, CallPhantom apps both included hardcoded URLs or fetched the URLs dynamically from a Firebase realtime database, which means the cost account could possibly be modified at any time by the operator.

Third, in some circumstances, cost card checkout types had been included straight within the CallPhantom apps.

Examples of the cost strategies may be seen in Determine 9.

In a single case, we noticed an extra tactic used to coax the person into paying: if the person exited the app with out cost, the app displayed misleading alerts styled as new emails claiming that the decision historical past outcomes had arrived – see Determine 10. Clicking the notification led straight to a subscription display screen.

The charges requested for the faux service differ extensively throughout the apps. The apps additionally seem to supply totally different subscription packages, reminiscent of weekly, month-to-month, or yearly companies, with the very best requested value sitting at US$80. For the bottom “subscription tier”, the typical requested value was €5.

What to do you probably have been scammed

Basically, subscriptions bought by means of the official Google Play billing system may be canceled within the Play Retailer app by tapping your profile icon, navigating to Funds & subscriptions → Subscriptions, deciding on the energetic subscription, and tapping Cancel subscription. Google explains the total course of on its Cancel, pause, or change a subscription on Google Play web page.

For the 28 apps described on this blogpost, current subscriptions have been canceled when the apps had been faraway from Google Play.

In some circumstances, refunds for Google Play purchases are potential. Google could challenge a refund relying on the time since buy, the kind of merchandise, and its refund coverage. Basically, requests have to be made inside the allowed refund window as described on Google’s help web page.

If the acquisition was made exterior Google Play – for instance, by getting into cost card particulars contained in the app or by paying by means of third‑occasion companies – then Google can’t cancel the subscription or challenge a refund, and customers should contact the cost supplier or the app developer straight.

Conclusion

We recognized a brand new cluster of fraudulent Android apps on Google Play that collectively amassed over 7.3 million downloads earlier than being taken down upon notification by ESET. These apps, which we collectively named CallPhantom, falsely promise to retrieve name logs, SMS information, and WhatsApp name historical past for any telephone quantity, a technically inconceivable declare designed solely to take advantage of individuals’s curiosity and mislead them into paying.

Lots of the apps circumvented Google Play’s official billing system, pushing customers towards third‑occasion funds or direct card entry, complicating refund efforts and exposing victims to monetary danger.

Our evaluation revealed that the “outcomes” proven to victims are fully fabricated, usually utilizing hardcoded Indian numbers, predefined names, and generated timestamps disguised as actual communication knowledge.

Customers who subscribed through official Google Play billing could also be eligible for refunds underneath Google’s refund insurance policies. Purchases made through third‑occasion cost apps or by means of direct cost card entry can’t be refunded by Google, leaving customers depending on exterior cost suppliers or builders.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Analysis provides non-public APT intelligence experiences and knowledge feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.

Analyzed CallPhantom apps

IoCs

A complete checklist of indicators of compromise (IoCs) and samples may be present in our GitHub repository.

Recordsdata

SHA-1	Filename	Detection	Description
799BB5127CA54239D3D4A14367DB3B712012CF14	all.callhistory.detail.apk	Android/CallPhantom.Ok	Android CallPhantom.
56A4FD71D1E4BBA2C5C240BE0D794DCFF709D9EB	calldetaila.ndcallhisto.rytogetan.ynumber.apk	Android/CallPhantom.M	Android CallPhantom.
EC5E470753E76614CD28ECF6A3591F08770B7215	callhistoryeditor.callhistory.numberdetails.calleridlocator.apk	Android/CallPhantom.F	Android CallPhantom.
77C8B7BEC79E7D9AE0D0C02DEC4E9AC510429AD8	com.all_historydownload.anynumber.callhistorybackup.apk	Android/CallPhantom.G	Android CallPhantom.
9484EFD4C19969F57AFB0C21E6E1A4249C209305	com.any.numbers.names.historical past.apk	Android/CallPhantom.L	Android CallPhantom.
CE97CA7FEECDCAFC6B8E9BD83A370DFA5C336C0A	com.anycallinformation.datadetailswho.callinfo.numberfinder.xapk	Android/CallPhantom.B	Android CallPhantom.
FC3BA2EDAC0BB9801F8535E36F0BCC49ADA5FA5A	com.app.name.element.historical past.apk	Android/CallPhantom.N	Android CallPhantom.
B7B80FA34A41E3259E377C0D843643FF736803B8	com.basehistory.historydownloading.xapk	Android/CallPhantom.O	Android CallPhantom.
F0A8EBD7C4179636BE752ECCFC6BD9E4CD5C7F2C	com.name.element.nameer.historical past.xapk	Android/CallPhantom.C	Android CallPhantom.
D021E7A0CF45EECC7EE8F57149138725DC77DC9A	com.name.of.any.number.apk	Android/CallPhantom.Q	Android CallPhantom.
04D2221967FFC4312AFDC9B06A0B923BF3579E93	com.callapp.historyero.apk	Android/CallPhantom.E	Android CallPhantom.
CB31ED027FADBFA3BFFDBC8A84EE1A48A0B7C11D	com.calldetails.smshistory.callhistoryofanynumber.apk	Android/CallPhantom.Q	Android CallPhantom.
C840A85B5FBAF1ED3E0F18A10A6520B337A94D4C	com.callhistory.anynumber.chapfvor.history.xapk	Android/CallPhantom.J	Android CallPhantom.
BB6260CA856C37885BF9E952CA3D7E95398DDABF	com.callhistory.nameparticulars.callerids.callerhistory.callhostoryanynumber.getcall.historical past.callhistorysupervisor.apk	Android/CallPhantom.S	Android CallPhantom.
55D46813047E98879901FD2416A23ACF8D8828F5	com.callhistory.namehistoryany.name.apk	Android/CallPhantom.T	Android CallPhantom.
E23D3905443CDBF4F1B9CA84A6FF250B6D89E093	com.callhistory.namehistoryyourgf.apk	Android/CallPhantom.D	Android CallPhantom.
89ECEC01CCB15FCDD2F64E07D0E876A9E79DD3CE	com.callinformative.instantcallhistory.callhistorybluethem.callinfo.xapk	Android/CallPhantom.B	Android CallPhantom.
8EC557302145B40FE0898105752FFF5E357D7AC9	com.cddhaduk.callerid.block.contact.xapk	Android/CallPhantom.U	Android CallPhantom.
6F72FF58A67EF7AAA79CE2342012326C7B46429D	com.easyranktools.callhistoryforanynumber.apk	Android/CallPhantom.H	Android CallPhantom.
28D3F36BD43D48F02C5058EDD1509E4488112154	com.getanynumberofcallhistory.callhistoryofanynumber.findcalldetailsofanynumber.xapk	Android/CallPhantom.D	Android CallPhantom.
47CEE9DED41B953A84FC9F6ED556EC3AF5BD9345	com.chdev.callhistory.xapk	Android/CallPhantom.V	Android CallPhantom.
9199A376B433F888AFE962C9BBD991622E8D39F9	com.identify.issue.apk	Android/CallPhantom.P	Android CallPhantom.
053A6A723FA2BFDA8A1B113E8A98DD04C6EEF72A	com.pdf.maker.pdfreader.pdfscanner.apk	Android/CallPhantom.W	Android CallPhantom.
4B537A7152179BBA19D63C9EF287F1AC366AB5CB	com.telephone.name.history.tracker.apk	Android/CallPhantom.I	Android CallPhantom.
87F6B2DB155192692BAD1F26F6AEBB04DBF23AAD	com.pixelxinnovation.supervisor.apk	Android/CallPhantom.X	Android CallPhantom.
583D0E7113795C7D68686D37CE7A41535CF56960	com.rajni.callhistory.apk	Android/CallPhantom.Y	Android CallPhantom.
45D04E06D8B329A01E680539D798DD3AE68904DA	com.sbpinfotech.discoverlocationofanynumber.xapk	Android/CallPhantom.A	Android CallPhantom.
34393950A950F5651F3F7811B815B5A21F84A84B	sc.name.ofany.cellularelement.apk	Android/CallPhantom.Z	Android CallPhantom.

Community

MITRE ATT&CK methods

This desk was constructed utilizing model 18 of the MITRE ATT&CK framework.