07.05.2026
4 min
197
Dozens of Android apps were discovered on Google Play that promised to show someone else’s call history, SMS, and WhatsApp activity. In reality, the services simply generated fake data and scammed people through paid subscriptions.
The ESET research team has identified a large-scale CallPhantom campaign in which numerous Android-based apps on Google Play marketed themselves as providers of services to view the call log history of others, SMS logs and WhatsApp logs. In fact, when a customer viewed his or her own call log history via one of these programs, he/she would see fictional entries; the primary purpose of each program was to sell an expensive subscription service to its customers.
ESET researchers located 28 apps, that together had been downloaded over 7.3 million times. One app exceeded 3 million downloads prior to it being removed from Google Play. The majority of users targeted by the CallPhantom campaign resided in either India, or some other country within the Asia Pacific area.
Lukasz Stefanko, an ESET Researcher stated that all of these applications indicated they provided access to the call log of any telephone number (for example: 123-456-7890), as well as SMS records and even logs of calls made using WhatsApp. When a person entered a telephone number, they were then prompted to purchase a subscription to “unlock” the telephone number related information. However, after making payment, the individual received random numbers/letters that were intended to appear like legitimate telephone number-related information.
“The rogue apps we have labeled as CallPhantom, based upon their false claims, purport to offer access to call logs, SMS logs and also WhatsApp call logs for any telephone number,” Stefanko said.”
A variety of the discovered applications (there were over dozens) had nearly the same name, like “Call History of Any Number”, “Call Details of Any Number”, “Phone Call History Tracker” etc. Another application was even released using the official “Indian gov.in” logo, to look like the government’s program and attract trust.
It turned out that none of the discovered applications could access information about the calls or messages of other people. All the “call histories” presented in the apps were created artificially. Users saw fixed names, random phone numbers and fake call logs after making payment.
A few of the applications used another strategy. In order to view the “detailed call history” of a particular phone number, you needed to provide your e-mail address. However, in practice, only after the payment was received, there appeared an opportunity to access the “data”. Moreover, the results displayed after the payment were completely artificial.
As for how the developers collected funds from the users, the methods differed. Some apps used Google’s subscription system. Others simply bypassed the store’s policies and required payment using third-party UPI services, such as Google Pay, PhonePe, Paytm. Some apps allowed users to input their credit card details right inside the app. This is an absolute violation of Google’s policy.
One more time we will see examples of psychological manipulation. When a user closes the app without purchasing anything, he receives a fake message saying that his call history has been “sent successfully” to his e-mail. And if a person clicks on this notification, then he is redirected to purchase the subscription again.
Price ranges for subscribing to apps greatly varied. Subscription fees ranged from six dollars to eighty dollars. Therefore, ESET recommends checking all active subscriptions installed in your device and canceling them.
To be honest, most of the apps didn’t ask for dangerous permissions. Their interface was also rather simple. As a result, they remained undetected for quite some time and gave off the impression of being harmless services.
In addition, ESET pointed out that users who purchased subscriptions using the official Google Play store may attempt to obtain a refund under Google’s refund policy. However, users who purchased subscriptions through third-party services or entered card details directly into the apps are now at the mercy of either the payment provider or developers.
Against the backdrop of this article, Group-IB reports yet another major financial attack in Indonesia. At least two million dollars were stolen by hackers posing as the Indonesian state tax platform CoreTax and other well-known brands.
This campaign has been ongoing since July 2015 at least. It involved phishing websites; social engineering via WhatsApp; installation of malicious APK files; voice phishing and other schemes.
Group-IB experts say that users were forced to download fake Android apps that put Gigabud RAT, MMRat, and Taotie malware onto their mobile phones. These malware families allow hackers to collect personal data from users’ phones, download additional malicious components and use users’ bank cards and login credentials to make unauthorized transactions.
Researchers emphasize that the hackers’ infrastructure did not belong solely to one brand. Experts say that attackers used no less than 16 popular services and platforms when attempting to reach as many potential victims as possible in Indonesia – where around 287 million citizens live.
