There\u2019s an app for all the pieces these days\u2026 proper? Effectively, wanting up name data for a cellphone variety of selection is not<\/em> a type of issues, as doubtlessly hundreds of thousands of Android customers came upon after paying for app subscriptions promising simply that.<\/p>\n The offending apps, which we named CallPhantom primarily based on their false claims, purport to supply entry to name histories, SMS data, and even WhatsApp name logs for any<\/em> cellphone quantity. To unlock this supposed characteristic, customers are requested to pay \u2013 however all they get in return is randomly generated information.<\/p>\n Our investigation recognized 28 such fraudulent apps out there on the Google Play retailer, cumulatively downloaded greater than 7.3 million occasions. As an App Protection Alliance associate, we reported our findings to Google, which eliminated all the apps recognized on this report from Google Play.<\/p>\n Key factors of this blogpost:<\/strong><\/p>\n In November 2025, we got here throughout a Reddit submit<\/a> discussing an app named Name Historical past of Any Quantity, discovered on Google Play. The app, proven in Determine 1, claims that it might probably retrieve the decision historical past of any cellphone quantity equipped by the person. It was revealed below the developer identify Indian gov.in<\/span>, however the app has no actual affiliation with the Indian authorities.<\/p>\n Unsurprisingly, our evaluation confirmed that the \u201cname historical past\u201d information offered by this app is totally fabricated \u2013 the app generates random cellphone numbers and matches them with fastened names, name occasions, and name durations, which had been embedded instantly within the code, as proven in Determine\u00a02. This faux information is then offered to victims \u2013 however solely after fee.<\/p>\n A screenshot of the fabricated name historical past information was even included within the app\u2019s itemizing, offered as an illustration of the app\u2019s performance, as proven in Determine\u00a03.<\/p>\n Additional analysis revealed extra, associated apps out there on the Play Retailer \u2013 28 CallPhantom apps altogether. We reported the total set of fraudulent apps to Google on December 16th<\/sup>, 2025. On the time of publication, all of the reported apps have been faraway from the shop.<\/p>\n Regardless of visible variations, which will be seen in Determine\u00a04 and Determine\u00a05, the aim of the apps is equivalent: generate faux communication information and cost victims for entry. The desk within the Analyzed CallPhantom apps<\/a> <\/em>part lists every app together with its key particulars, together with the obtain rely.<\/p>\n The CallPhantom apps we discovered on Google Play primarily focused Android customers in India and the broader Asia\u2011Pacific area. Lots of the apps got here with India\u2019s +91 nation code preselected and assist UPI<\/a>, a fee system used primarily in India.<\/p>\n The apps had garnered quite a few unfavorable critiques, with victims reporting that they had been scammed and by no means obtained the promised information, as will be seen in Determine\u00a06.<\/p>\n It’s not clear how the apps had been distributed or promoted. Presumably, by seemingly providing perception into personal data, the scammers efficiently took benefit of individuals\u2019s curiosity. Mixed with a couple of glowing (faux) critiques, it may need appeared like an intriguing supply.<\/p>\n In our investigation, we recognized two fundamental clusters of those fraudulent apps.<\/p>\n The apps within the first cluster<\/strong> comprise hardcoded names, nation codes, and templates of their code, as proven in Determine\u00a07. These are mixed with randomly generated cellphone numbers and proven to the person as partial \u201coutcomes\u201d. To view the total (faux) historical past, the sufferer has to pay.<\/p>\n The apps within the second cluster<\/strong> ask customers to enter an e-mail deal with the place the \u201cretrieved\u201d name historical past would supposedly be delivered, as seen within the screenshots in Determine\u00a08. No information era happens till after fee; customers must pay or subscribe earlier than any e-mail would supposedly be despatched.<\/p>\n Usually, CallPhantom apps have a easy person interface and don’t request any intrusive or delicate permissions \u2013 they don\u2019t must. Coincidentally, they don’t comprise any performance able to retrieving actual name, SMS, or WhatsApp information.<\/p>\n Within the CallPhantom apps we analyzed, we noticed three totally different fee strategies used, the latter two of that are in violation of Google Play\u2019s funds coverage<\/a>.<\/p>\n First, a few of the apps relied on subscriptions through Google Play\u2019s official billing system. That is required of apps providing in-app purchases, per Google Play\u2019s funds coverage; such purchases are lined by Google\u2019s refund safety<\/a>.<\/p>\n Second, a few of the apps relied on funds through third-party apps that assist UPI. For these third-party fee apps, CallPhantom apps both included hardcoded URLs or fetched the URLs dynamically from a Firebase realtime database, that means the fee account might be modified at any time by the operator.<\/p>\n Third, in some instances, fee card checkout types had been included instantly within the CallPhantom apps.<\/p>\n Examples of the fee strategies will be seen in Determine\u00a09.<\/p>\n In a single case, we noticed an extra tactic used to coax the person into paying: if the person exited the app with out fee, the app displayed misleading alerts styled as new emails claiming that the decision historical past outcomes had arrived \u2013 see Determine\u00a010. Clicking the notification led straight to a subscription display screen.<\/p>\n The charges requested for the faux service differ broadly throughout the apps. The apps additionally seem to supply totally different subscription packages, reminiscent of weekly, month-to-month, or yearly providers, with the best requested worth sitting at US$80. For the bottom \u201csubscription tier\u201d, the common requested worth was \u20ac5.<\/p>\n Usually, subscriptions bought by the official Google Play billing system will be canceled within the Play Retailer app by tapping your profile icon, navigating to Funds & subscriptions \u2192 Subscriptions, choosing the lively subscription, and tapping Cancel subscription. Google explains the total course of on its Cancel, pause, or change a subscription on Google Play<\/a> web page.<\/p>\n For the 28 apps described on this blogpost, present subscriptions have been canceled when the apps had been faraway from Google Play.<\/p>\n In some instances, refunds for Google Play purchases are doable. Google might concern a refund relying on the time since buy, the kind of merchandise, and its refund coverage. Usually, requests have to be made inside the allowed refund window as described on Google\u2019s assist web page<\/a>.<\/p>\n If the acquisition was made exterior Google Play \u2013 for instance, by coming into fee card particulars contained in the app or by paying by third\u2011celebration providers \u2013 then Google can’t cancel the subscription or concern a refund, and customers must contact the fee supplier or the app developer instantly.<\/p>\n We recognized a brand new cluster of fraudulent Android apps on Google Play that collectively amassed over 7.3 million downloads earlier than being taken down upon notification by ESET. These apps, which we collectively named CallPhantom, falsely promise to retrieve name logs, SMS data, and WhatsApp name historical past for any cellphone quantity, a technically unimaginable declare designed solely to use individuals\u2019s curiosity and mislead them into paying.<\/p>\n Lots of the apps circumvented Google Play\u2019s official billing system, pushing customers towards third\u2011celebration funds or direct card entry, complicating refund efforts and exposing victims to monetary threat.<\/p>\n Our evaluation revealed that the \u201coutcomes\u201d proven to victims are totally fabricated, usually utilizing hardcoded Indian numbers, predefined names, and generated timestamps disguised as actual communication information.<\/p>\n Customers who subscribed through official Google Play billing could also be eligible for refunds below Google\u2019s refund insurance policies. Purchases made through third\u2011celebration fee apps or by direct fee card entry can’t be refunded by Google, leaving customers depending on exterior fee suppliers or builders.<\/p>\n\n
\n
Investigation<\/h2>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-1.jpg\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-2.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-3.jpg\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-4.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-5.jpg\" "\\"Figure")
Marketing campaign overview<\/h2>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-6.png\" "\\"Figure")
CallPhantom overview<\/h2>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-7.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-8.jpg\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-9.jpg\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-10.png\" "\\"Figure")
What to do you probably have been scammed<\/h2>\n
Conclusion<\/h2>\n
\n
Analyzed CallPhantom apps<\/h2>\n
![\"\"](\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\")
<\/a><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"