Cybersecurity researchers have uncovered a large-scale Android scam operation that used fake “call history” apps to trick millions of users into paying for fabricated phone records and WhatsApp logs.
The campaign, tracked by ESET as “CallPhantom,” involved 28 fraudulent apps distributed through the Google Play Store that collectively amassed more than 7.3 million downloads before being removed. The apps falsely claimed they could provide call logs, SMS records, and WhatsApp call histories for virtually any phone number.
Instead of delivering real information, the apps generated fake datasets using hardcoded names, timestamps, phone numbers, and call durations embedded directly in the code. Researchers found no actual functionality capable of retrieving communication records from devices or telecom systems.
According to ESET researcher Lukas Stefanko, the scam first came to attention after users discussed suspicious apps on Reddit in late 2025. Further analysis revealed dozens of nearly identical apps operating under different names on Google Play.
Many of the apps targeted users in India and the broader Asia-Pacific region. Several came with India’s +91 country code preselected and supported UPI payment systems widely used in the country. ESET said India accounted for the majority of CallPhantom detections globally.
The scam relied heavily on social engineering and curiosity-driven marketing. Apps displayed partial fake results to convince users the service worked, then demanded payment to unlock “full” call histories. Subscription plans ranged from approximately $6 to $80, depending on the app and payment model.
Researchers identified two main operational methods. One group of apps instantly displayed fabricated call logs generated from hardcoded templates. Another requested an email address and claimed the full report would be delivered later after payment. In some cases, users received fake notification alerts pressuring them to subscribe before their “results” expired.
The apps also used multiple payment systems to complicate refunds. Some relied on Google Play billing, while others bypassed official payment channels entirely using third-party UPI apps or embedded payment card forms inside the apps themselves. ESET said the latter methods violated Google Play policies and made reimbursement significantly harder for victims.
Despite their deceptive claims, the apps notably requested very few sensitive permissions. Researchers said this was because the software never actually attempted to access call histories or private device data. Instead, the entire scam revolved around fabricated information designed solely to generate subscription revenue.
Google removed the identified apps after ESET reported the campaign through the App Defense Alliance program. Users who paid through Google Play billing may still qualify for refunds depending on Google’s refund policies and timing windows. Victims who used external payment systems may need to contact their banks or payment providers directly.
Security researchers warn that the operation highlights the continued difficulty of policing fraudulent apps at scale, even inside official app stores. The campaign also demonstrates how scammers increasingly exploit invasive or ethically questionable user interests to drive downloads and payments.
Experts recommend avoiding apps that claim to provide access to private communications belonging to other people, as such services are almost always fraudulent, illegal, or both. Users are also advised to carefully review developer histories, permissions, and app reviews before downloading software from app marketplaces.