28 Fraudulent Call History Apps on Google Play Store Deceived 7.3 Million Users

TL;DR — ESET researchers identified 28 fake call history apps on Google Play Store that collectively accumulated over 7.3 million downloads before removal. The apps charged users for access to fabricated call and SMS records, with subscription costs ranging from approximately $6 to $80. Payment methods included Google Play's official system and third-party UPI apps popular in India, where the campaign primarily targeted users.

What happened

Between November 2025 and the time of publication, a campaign dubbed CallPhantom by ESET distributed fraudulent Android applications through Google's official Play Store. The 28 apps shared a common deception: they claimed to unlock access to call histories, SMS records, and WhatsApp call logs for any phone number, but delivered only randomly generated fake data after payment.

One of the 28 apps alone accounted for over 3 million downloads before removal. At least one app was published under the developer name "Indian gov.in" to build false credibility with potential victims.

The fraudulent workflow operated in multiple variants. In one approach, users were asked to make a payment to view details. In another, users entered their email address and received a deceptive notification claiming their requested data had been sent, which prompted them to click through to a subscription screen. A third variant displayed a fake notification on app exit, falsely stating that call history data had been successfully delivered to the user's email.

Payment collection occurred through three channels: Google Play Store's official subscription billing system, third-party Unified Payments Interface (UPI) apps including Google Pay, PhonePe, and Paytm, and direct payment card forms embedded in the apps. The last two payment methods violate Google's policy. Subscription costs ranged from approximately $6 to $80 depending on the app.

A critical aspect of the CallPhantom campaign is what it did not do. The apps requested no sensitive permissions and contained no actual functionality to retrieve call, SMS, or WhatsApp data. The fabricated data was hardcoded directly into the source code.

Why it matters

For Android users in the MENA region and India, this campaign demonstrates a persistent gap between Google Play Store's review processes and sophisticated social engineering attacks. The scale—7.3 million downloads—indicates that credential-building techniques (such as impersonating government domains) and simple user interfaces can bypass detection at scale.

For developers and system administrators, the campaign illustrates the risks of payment processing integrations that lack proper API enforcement. The misuse of legitimate payment apps like PhonePe and Paytm suggests these third-party services faced exploitation, not malfunction.

For SOC analysts and fraud teams, the CallPhantom activity overlaps with a broader financially motivated ecosystem. Group-IB linked the campaign to GoldFactory, a threat cluster that began operations in July 2025 and has stolen an estimated $2 million from Indonesian users through campaigns impersonating CoreTax and other trusted services. The same infrastructure abuses more than 16 trusted brands. GoldFactory's attack chain combines phishing websites, WhatsApp-based social engineering, malicious APK sideloading, and voice phishing (vishing), deploying Android malware such as Gigabud RAT, MMRat, and Taotie for device compromise and financial theft.

Affected systems and CVEs

Google Play Store (distribution channel)
Android operating system (target platform)
Google Pay (payment method abused)
PhonePe (payment method abused)
Paytm (payment method abused)

No CVE assigned at the time of publication.

What to do

Verify and remove: Check your device for any of the 28 listed apps. ESET's report contains the full package name list. Remove immediately if present.
Request refunds via Google Play: Users who subscribed through Google Play Store's official billing system may be eligible for refunds under Google's refund policies. Navigate to your Play Store account settings and review purchase history.
Contact payment providers: Purchases made via third-party UPI apps (Google Pay, PhonePe, Paytm) or direct card payment forms cannot be refunded by Google. Contact the respective payment provider or your card issuer directly.
Cancel subscriptions: If the app was removed from your device but the subscription remains active, cancel it through your Google Play account or the third-party payment app used.
Monitor financial accounts: Review bank and payment app statements for unauthorized transactions. Fraudsters may attempt account takeover using harvested payment data.
Avoid sideloading: Do not install APKs from untrusted sources, particularly those distributed via WhatsApp or email, as the GoldFactory infrastructure leverages this vector to deploy malware.

Open questions

The source does not specify the total financial loss from the CallPhantom campaign.
The exact number of affected users is not disclosed.
The identities of the developers behind the 28 apps remain unknown.
Whether all 28 apps have been completely removed or if variants persist on Play Store is unconfirmed.
The success rate of refund requests through Google Play Store for these specific apps is not documented.
The source does not clarify which versions of Android were targeted or whether older versions faced higher risk.