Full Report
Cybersecurity researchers have discovered fraudulent apps on the official Google Play Store for Android that falsely claimed to offer access to call histories for any phone number, only to trick users into joining a subscription that provided fake data and incurred financial loss. The 28 apps have collectively racked up more than 7.3 million downloads, with one of them alone accounting for over
Analysis Summary
# Incident Report: CallPhantom Fraudulent Android Applications
## Executive Summary
A cluster of 28 fraudulent Android applications, collectively dubbed "CallPhantom," was discovered on the official Google Play Store. These apps promised users the ability to access call and SMS histories for any phone number but were actually designed to defraud victims through fake subscriptions and unauthorized payment processing. The campaign resulted in over 7.3 million downloads, primarily targeting users in the Asia-Pacific region with fabricated data and financial loss.
## Incident Details
- **Discovery Date:** May 08, 2026 (Reported by ESET)
- **Incident Date:** Active since at least November 2025
- **Affected Organization:** Android Users (Google Play Store)
- **Sector:** Technology / Mobile Users
- **Geography:** India and Asia-Pacific (APAC) region
## Timeline of Events
### Initial Access
- **Date/Time:** Circa November 2025
- **Vector:** Social Engineering / Malicious Mobile Apps
- **Details:** Attackers uploaded 28 apps to the Google Play Store under enticing names (e.g., "Call History of Any Number") and deceptive developer names like "Indian gov.in" to establish false trust.
### Lateral Movement
- **Details:** Not applicable as this was an external fraud campaign targeting individual consumer devices rather than a corporate network breach.
### Data Exfiltration/Impact
- **Details:** Financial theft via fraudulent subscriptions and direct payment forms. Users were tricked into paying for "unlocking" call logs, only to receive randomly generated, fake data embedded in the app's source code.
### Detection & Response
- **How it was discovered:** Identified by ESET security researcher Lukáš Štefanko.
- **Response actions taken:** Google was notified, and the 28 offending applications were removed from the Google Play Store.
## Attack Methodology
- **Initial Access:** App Store Optimization (ASO) and deceptive branding on the official Google Play Store.
- **Persistence:** High download counts (7.3M+) and positive-looking (likely fake) metrics kept the apps visible on the store.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Deceptive developer names (e.g., "Indian gov.in") and hiding malicious billing practices behind a seemingly functional (though fake) interface.
- **Credential Access:** Entry of user email addresses was required by some app versions.
- **Discovery:** Apps prompted users to search for phone numbers to simulate a discovery service.
- **Lateral Movement:** N/A.
- **Collection:** Collection of payment information and email addresses.
- **Exfiltration:** Direct transfer of funds through official Google Billing, UPI (Unified Payments Interface), and direct credit card forms.
- **Impact:** Financial loss to millions of users; dissemination of fake data.
## Impact Assessment
- **Financial:** Significant; millions of users were prompted for payments. One app alone had 3 million downloads.
- **Data Breach:** Exposure of user email addresses and potential compromise of payment card details via in-app forms.
- **Operational:** Minimal for Google, but severe for victims who lost funds.
- **Reputational:** Damage to Google Play Store's "walled garden" reputation for security.
## Indicators of Compromise
- **File Indicators (Package Names):**
- `calldetaila.ndcallhisto.rytogetan.ynumber`
- `com.pixelxinnovation.manager`
- `com.app.call.detail.history`
- `com.basehistory.historydownloading`
- `com.pdf.maker.pdfreader.pdfscanner`
- **Behavioral Indicators:**
- App requests payment to view third-party call records (a privacy-violating and technically impossible claim).
- Use of non-Google payment methods (UPI, direct CC forms) within a Play Store app.
- Developer names mimicking government entities.
## Response Actions
- **Containment:** Google removed all 28 identified applications from the Play Store.
- **Eradication:** ESET published a report to raise awareness and identify the "CallPhantom" activity.
- **Recovery:** Users are advised to uninstall the apps and contact their banks for fraudulent charge reversals.
## Lessons Learned
- **Key Takeaways:** Official app stores still host sophisticated fraud campaigns despite automated scanning.
- **What could have been done better:** Verification of developer names like "Indian gov.in" should be more stringent to prevent impersonation of government authorities.
## Recommendations
- **Avoid "Magic" Apps:** Educate users that apps claiming to provide private data of other people (call logs, SMS) are inherently fraudulent.
- **Verify Developers:** Users should check the developer's reputation and official website before downloading.
- **Strict Payment Compliance:** Google should increase monitoring for third-party payment gateways (UPI/Direct Card) that bypass Official Play Store Billing.
- **Defang/Uninstall:** Users who downloaded these apps should immediately uninstall them and monitor for unauthorized subscriptions.