How CallPhantom tricks Android users

There’s an app for everything nowadays… right? Well, looking up call records for a phone number of choice is not one of those things, as potentially millions of Android users found out after paying for app subscriptions promising just that.

The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number. To unlock this supposed feature, users are asked to pay – but all they get in return is randomly generated data.

Our investigation identified 28 such fraudulent apps available on the Google Play store, cumulatively downloaded more than 7.3 million times. As an App Defense Alliance partner, we reported our findings to Google, which removed all of the apps identified in this report from Google Play.

Key points of this blogpost:

  • A new Android scam, CallPhantom, falsely claims to provide access to call logs, SMS records, and WhatsApp call history for any phone number in exchange for payment.
  • We identified and reported 28 CallPhantom apps on Google Play, cumulatively downloaded more than 7.3 million times.
  • Some CallPhantom apps sidestep Google Play’s official billing system, complicating victims’ refund efforts.

Investigation

In November 2025, we came across a Reddit post discussing an app named Call History of Any Number, found on Google Play. The app, shown in Figure 1, claims that it can retrieve the call history of any phone number supplied by the user. It was published under the developer name Indian gov.in, but the app has no real association with the Indian government.

Figure 1. Call History of Any Number app on Google Play
Figure 1. Call History of Any Number app on Google Play

Unsurprisingly, our analysis showed that the “call history” data provided by this app is entirely fabricated – the app generates random phone numbers and matches them with fixed names, call times, and call durations, which were embedded directly in the code, as shown in Figure 2. This fake data is then presented to victims – but only after payment.

Figure 2. Hardcoded call log data used by the app
Figure 2. Hardcoded call log data used by the app

A screenshot of the fabricated call history data was even included in the app’s listing, presented as a demonstration of the app’s functionality, as shown in Figure 3.

Figure 3. Screenshots from Google Play
Figure 3. Screenshots from Google Play seemingly demonstrating the fraudulent app’s functionality; the logs are randomly generated from hardcoded data

Further research revealed additional, related apps available on the Play Store – 28 CallPhantom apps altogether. We reported the full set of fraudulent apps to Google on December 16th, 2025. At the time of publication, all the reported apps have been removed from the store.

Despite visual differences, which can be seen in Figure 4 and Figure 5, the purpose of the apps is identical: generate fake communication data and charge victims for access. The table in the Analyzed CallPhantom apps section lists each app along with its key details, including the download count.

Figure 4. Examples of CallPhantom apps found on the Play Store
Figure 4. Examples of CallPhantom apps found on the Play Store

Figure 5. Examples of CallPhantom initial screens
Figure 5. Examples of CallPhantom initial screens

Campaign overview

The CallPhantom apps we found on Google Play mainly targeted Android users in India and the broader Asia‑Pacific region. Many of the apps came with India’s +91 country code preselected and support UPI, a payment system used primarily in India.

The apps had garnered numerous negative reviews, with victims reporting that they were scammed and never received the promised data, as can be seen in Figure 6.

Figure 6. Negative reviews for one of the fraudulent apps
Figure 6. Negative reviews for one of the fraudulent apps

It is not clear how the apps were distributed or promoted. Presumably, by seemingly offering insight into private information, the scammers successfully took advantage of people’s curiosity. Combined with a few glowing (fake) reviews, it might have seemed like an intriguing offer.

CallPhantom overview

In our investigation, we identified two main clusters of these fraudulent apps.

The apps in the first cluster contain hardcoded names, country codes, and templates in their code, as shown in Figure 7. These are combined with randomly generated phone numbers and shown to the user as partial “results”. To view the full (fake) history, the victim has to pay.

Figure 7. Code responsible for generating messages
Figure 7. Code responsible for generating messages

The apps in the second cluster ask users to enter an email address where the “retrieved” call history would supposedly be delivered, as seen in the screenshots in Figure 8. No data generation occurs until after payment; users have to pay or subscribe before any email would supposedly be sent.

Figure 8. CallPhantom requests the user’s email address
Figure 8. CallPhantom requests the user’s email address where call logs would supposedly be delivered

In general, CallPhantom apps have a simple user interface and do not request any intrusive or sensitive permissions – they don’t need to. Coincidentally, they do not contain any functionality capable of retrieving real call, SMS, or WhatsApp data.

In the CallPhantom apps we analyzed, we saw three different payment methods used, the latter two of which are in violation of Google Play’s payments policy.

First, some of the apps relied on subscriptions via Google Play’s official billing system.

Apps offering in-app purchases must comply with Google Play’s payments policy and provide refund protection to users. Some CallPhantom apps utilized third-party payment apps for transactions, with payment account details being changeable by the operator. Additionally, some apps included payment card checkout forms within the app itself. Various payment options used by CallPhantom apps can be viewed in Figure 9.

In an attempt to coerce users into paying, one tactic involved displaying deceptive alerts styled as new emails when users exited the app without payment, leading them to a subscription screen upon clicking the notification (see Figure 10). The fees for the fake service varied across apps, with different subscription packages offered at different prices.

If a user has been scammed, subscriptions purchased through Google Play’s official billing system can be canceled within the Play Store app. Refunds for Google Play purchases may be possible depending on certain criteria, as explained on Google’s support page. However, if the purchase was made outside of Google Play, users must contact the payment provider or app developer for cancellation or refunds.

Overall, the CallPhantom apps on Google Play were fraudulent, misleading users with false promises and fabricated results. Users who subscribed through Google Play may be eligible for refunds, while those who used third-party payment apps or direct card entry for payment may have to seek refunds through external providers or developers.

For any inquiries about this service, visit the ESET Threat Intelligence page.

Analyzed CallPhantom apps


App name Package name Number of downloads
Call history : any number deta calldetaila.ndcallhisto.rytogetan.ynumber 3M+

IoCs

A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.

Files

Network

MITRE ATT&CK techniques

This table was built using version 18 of the MITRE ATT&CK framework.

sentence to make it more concise: “The cat jumped over the fence.” “Please do not feed the animals” as “Kindly refrain from feeding the animals.”

Leave a Reply

Your email address will not be published. Required fields are marked *