A large-scale mobile fraud operation tracked as CallPhantom has been uncovered on Google Play, with 28 fraudulent Android applications accumulating more than 7.3 million downloads before being removed. The apps promised users the ability to look up the call history of any phone number, a service that does not technically exist in this form, delivering only fabricated data while charging real money for subscriptions up to $80 per year.
Researchers at WeLiveSecurity (ESET) identified and reported the applications to Google. Following ESET disclosure in December 2025, Google removed all 28 apps. The fraudulent campaign primarily targeted Android users in India and the broader Asia-Pacific region, with many apps pre-selecting India country codes and supporting UPI payment infrastructure widely used across the subcontinent.
How the Fraud Worked
The premise of the CallPhantom apps was deceptively simple. Users searching for ways to look up who called a specific number, or to retrieve call logs from another device, were drawn to apps with professional-looking listings that included screenshots purportedly showing real call history data. These screenshots were themselves fabricated, designed to create a false impression of functionality before any money changed hands.
Once installed, users were shown partial call history results and prompted to pay to unlock the full data. In reality, the call history data was entirely generated from hardcoded names, phone numbers, and timestamps baked directly into the application code. The apps had no technical capability to access call logs, SMS records, or WhatsApp data from any external device, because accessing another person call history without authorization is not legally or technically possible through a standard Android application.
The 28 apps fell into two distinct operational clusters. The first used hardcoded call log templates, combining fixed names and country codes with randomly generated phone numbers to produce fake results on demand. The second cluster took a more elaborate approach, asking users to provide their email address and claiming the retrieved call history would be delivered there. No real data was ever sent. Both clusters charged subscription fees before or immediately after presenting fake results.
Payment Evasion: Bypassing Google Refunds
One of the most deliberate features of the CallPhantom operation was its use of payment channels that Google could not reverse. The apps employed three separate payment methods:
- Google Play billing: Used in some apps, where Google can issue refunds if the subscription is canceled within the allowed window
- Third-party UPI apps: Payment details were either hardcoded in the app or dynamically fetched from Firebase real-time databases, allowing operators to swap receiving accounts on the fly to avoid detection and complicate refund requests
- In-app card payment forms: Embedded checkout forms collected payment card details directly inside the app, violating Google Play payment policies and completely bypassing Google refund mechanisms
The Firebase-based payment URL delivery system was particularly sophisticated. By storing recipient UPI handles in a remote database rather than hardcoding them, the operators could instantly redirect payments to new accounts if any individual account was flagged or frozen, demonstrating operational awareness of fraud detection practices.
Deceptive Notifications and Psychological Pressure
At least one app in the CallPhantom family sent deceptive push notifications styled to appear as email alerts, falsely telling users that their requested call history results had arrived. Tapping the notification routed users directly to a subscription payment screen rather than any actual results. This tactic extended user engagement beyond the initial session, maintaining psychological pressure on users who had previously chosen not to pay.
Indicators of Compromise
ESET published a full list of 28 malicious package names and SHA-1 hashes as part of the disclosure. Key Firebase infrastructure used by the CallPhantom operation included the domains call-history-7cda4-default-rtdb.firebaseio[.]com, call-history-ecc1e-default-rtdb.firebaseio[.]com, and ch-ap-4-default-rtdb.firebaseio[.]com, all hosted on Google LLC infrastructure via Firebase with first seen dates in 2025.
What Affected Users Should Do
Users who downloaded any of the 28 CallPhantom applications should take the following steps:
- Uninstall any remaining app immediately if it has not already been automatically removed via Google Play Protect
- If subscribed through Google Play official billing, request a refund through Google Play or the device Settings app, as existing subscriptions were canceled when the apps were removed
- If payment was made through a UPI app or in-app card form, contact the payment provider or card issuer directly to dispute the charge as a fraudulent transaction
- Monitor bank and payment app statements for recurring unauthorized charges, as some subscription models were designed to charge weekly or monthly
Protecting Yourself from Similar Scams
The CallPhantom campaign exploits a fundamental gap in most users understanding of what mobile apps can and cannot do. No legitimate Android application can access the call history of a phone number it does not own, because Android permissions and carrier infrastructure simply do not permit it. Any app claiming to provide this service is, by definition, fraudulent.
Practical protections include verifying developer credibility and reading negative reviews before downloading, being skeptical of apps claiming to access private data belonging to other people or other devices, avoiding apps that require payment before showing any results, and preferring to pay through Google Play official billing rather than third-party methods that lack buyer protections.
The scale of this campaign, 7.3 million downloads across 28 apps, underscores the persistent challenge of keeping fraudulent applications off major app stores despite automated and human review processes. Users remain an essential last line of defense.