Full Report
ESET researchers uncovered fraudulent apps on Google Play that claim to provide the call history “for any number” and had been downloaded more than seven million times before being taken down
Analysis Summary
# Tool/Technique: CallPhantom
## Overview
CallPhantom is a family of fraudulent Android applications identified by ESET researchers. These apps masquerade as legislative or utility tools (sometimes using fake government branding) that claim to provide private call histories, SMS records, and WhatsApp logs for any phone number. In reality, the apps generate fake data using hardcoded templates to trick users into paying for non-existent "premium" information.
## Technical Details
- **Type:** Malware family (Fraudulent/Scamware)
- **Platform:** Android
- **Capabilities:** Data fabrication, subscription fraud, bypassing official billing systems.
- **First Seen:** April–May 2025
## MITRE ATT&CK Mapping
- **TA0041 - Command and Control**
- **T1437.001 - Application Layer Protocol: Web Protocols** (Uses Firebase Cloud Messaging for C&C communication)
- **TA0040 - Impact**
- **T1643 - Generate Traffic from Victim** (Attempts to achieve fraudulent billing/financial gain)
- **TA0030 - Initial Access**
- **T1474 - Supply Chain Compromise** (Distributed via official Google Play Store)
## Functionality
### Core Capabilities
- **Data Fabrication:** Uses hardcoded lists of names, country codes, and call durations to generate randomized "previews" of call logs to lure victims.
- **Social Engineering:** Impersonates official entities (e.g., developer name "Indian gov.in") and uses fake glowing reviews to establish trust.
- **Fraudulent Monetization:** Charges users via subscriptions or one-time payments for access to "full" records that do not exist.
### Advanced Features
- **Billing Bypass:** Some variants sidestep official Google Play billing systems, utilizing third-party systems like UPI (Unified Payment Interface) to process payments, making it difficult for victims to request refunds through Google.
- **Localization:** Specifically targets the Asia-Pacific region with pre-selected country codes (+91 for India) and localized payment support.
## Indicators of Compromise
### File Hashes (SHA-256)
- `8105752FFF5E357D7AC9` (com.cddhaduk.callerid.block.contact)
- `E2342012326C7B46429D` (com.easyranktools.callhistoryforanynumber)
- `58EDD1509E4488112154` (com.getanynumberofcallhistory...)
- `9F6ED556EC3AF5BD9345` (com.chdev.callhistory)
- `113E8A98DD04C6EEF72A` (com.pdf.maker.pdfreader.pdfscanner)
### Package Names
- `com.chdev.callhistory`
- `com.sbpinfotech.findlocationofanynumber`
- `sc.call.ofany.mobiledetail`
- `com.pixelxinnovation.manager`
- `com.name.factor`
### Network Indicators
- `call-history-7cda4-default-rtdb[.]firebaseio[.]com`
- `call-history-ecc1e-default-rtdb[.]firebaseio[.]com`
- `ch-ap-4-default-rtdb[.]firebaseio[.]com`
- `34.120.160[.]131`
- `34.120.206[.]254`
## Associated Threat Actors
- Unknown; likely financially motivated cybercriminals focusing on the Indian and Asia-Pacific markets.
## Detection Methods
- **Behavioral detection:** Monitoring for apps that use hardcoded data structures to simulate external data retrieval or those bypassing official Play Store billing APIs.
- **Signature-based detection:** ESET identifies these variants as `Android/CallPhantom.A` through `Android/CallPhantom.Z`.
## Mitigation Strategies
- **User Education:** Advise users that no legitimate third-party app can legally provide private call/SMS logs for any arbitrary phone number due to privacy and OS security restrictions.
- **Payment Verification:** Use official Google Play billing systems only; avoid apps that redirect to external payment gateways for digital content.
- **App Review Scrutiny:** Analyze negative reviews and check developer authenticity (e.g., verifying if "government" apps are actually published by official agencies).
## Related Tools/Techniques
- **Fleeceware:** Apps that charge excessive subscription fees for basic or non-existent functionality.
- **Scamware:** General category for apps designed to deceive users for financial gain without providing the promised service.