Fake call-history apps on Google Play scammed 7.3M in India
Twenty-eight fake call-history apps on Google Play were downloaded 7.3 million times, mainly in India, and took subscription payments while delivering fabricated call, SMS and WhatsApp records.
Slovak security firm ESET found 28 Android apps on Google Play that advertised access to call, SMS and WhatsApp histories for any phone number. The apps were downloaded a total of about 7.3 million times, with one title accounting for more than 3 million installs. Most downloads were in India and the broader Asia‑Pacific region.
ESET labeled the cluster CallPhantom and reported the apps returned only fabricated data embedded in their code. ESET researcher Lukáš Štefanko wrote that the programs “purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number” but that users receive randomly generated names and numbers after paying.
The apps used simple interfaces and did not request sensitive Android permissions. At least one was published under the developer name “Indian gov.in” to create a false impression of legitimacy. Some variants asked users to enter an email address and promised to send results, but no data was delivered unless a payment went through.
Payments were collected through three channels: Google Play’s official billing system, third‑party Unified Payments Interface (UPI) apps commonly used in India such as Google Pay, PhonePe and Paytm, and direct card entry forms inside the apps. ESET noted the direct card form and some third‑party flows violated Google policy. Subscription prices ranged from about $6 to $80. In one trick, the app showed a deceptive notification claiming a call history had been emailed; tapping the notification took the user to a subscription screen.
ESET’s analysis indicates the activity may have been active since at least November 2025. After Google removed the apps, subscriptions paid through Google Play billing should be eligible for refunds under Google’s policies. Payments made via third‑party UPI apps or by entering card details inside the apps cannot be refunded by Google and would require action through the payment provider or the app developer.
Separately, cybersecurity firm Group‑IB reported a fraud cluster called GoldFactory that stole an estimated $2 million from Indonesian users. That campaign used phishing, social engineering over messaging apps, malicious APK sideloading and voice phishing to deliver Android malware such as Gigabud RAT, MMRat and Taotie, which were then used to harvest credentials and perform financial theft.
ESET recommends anyone who downloaded the flagged apps check active subscriptions in their Google Play account, review recent payments, and contact their payment provider about possible refunds.
