How CallPhantom methods Android customers

There’s an app for the entirety these days… proper? Smartly, having a look up name data for a telephone choice of selection is now not a type of issues, as doubtlessly tens of millions of Android customers came upon after paying for app subscriptions promising simply that.

The offending apps, which we named CallPhantom according to their false claims, purport to offer get admission to to name histories, SMS data, or even WhatsApp name logs for any telephone quantity. To unencumber this intended characteristic, customers are requested to pay – however all they get in go back is randomly generated information.

Our investigation known 28 such fraudulent apps to be had at the Google Play retailer, cumulatively downloaded greater than 7.3 million instances. As an App Protection Alliance spouse, we reported our findings to Google, which got rid of the entire apps known on this record from Google Play.

Key issues of this blogpost:

• A brand new Android rip-off, CallPhantom, falsely claims to offer get admission to to name logs, SMS data, and WhatsApp name historical past for any telephone quantity in alternate for fee.
• We known and reported 28 CallPhantom apps on Google Play, cumulatively downloaded greater than 7.3 million instances.
• Some CallPhantom apps sidestep Google Play’s professional billing gadget, complicating sufferers’ refund efforts.

Investigation

In November 2025, we got here throughout a Reddit publish discussing an app named Name Historical past of Any Quantity, discovered on Google Play. The app, proven in Determine 1, claims that it may well retrieve the decision historical past of any telephone quantity provided through the person. It used to be revealed beneath the developer identify Indian gov.in, however the app has no actual affiliation with the Indian executive.

Unsurprisingly, our research confirmed that the “name historical past” information equipped through this app is solely fabricated – the app generates random telephone numbers and fits them with mounted names, name instances, and get in touch with periods, which have been embedded immediately within the code, as proven in Determine 2. This faux information is then introduced to sufferers – however handiest after fee.

A screenshot of the fabricated name historical past information used to be even integrated within the app’s checklist, introduced as an indication of the app’s capability, as proven in Determine 3.

Additional analysis published further, similar apps to be had at the Play Retailer – 28 CallPhantom apps altogether. We reported the entire set of fraudulent apps to Google on December 16^th, 2025. On the time of e-newsletter, the entire reported apps were got rid of from the shop.

In spite of visible variations, which may also be observed in Determine 4 and Determine 5, the aim of the apps is similar: generate faux conversation information and fee sufferers for get admission to. The desk within the Analyzed CallPhantom apps segment lists each and every app in conjunction with its key main points, together with the obtain rely.

Marketing campaign review

The CallPhantom apps we discovered on Google Play basically centered Android customers in India and the wider Asia‑Pacific area. Most of the apps got here with India’s +91 nation code preselected and beef up UPI, a fee gadget used essentially in India.

The apps had garnered a lot of unfavorable critiques, with sufferers reporting that they had been scammed and not won the promised information, as may also be observed in Determine 6.

It’s not transparent how the apps had been dispensed or promoted. Possibly, through reputedly providing perception into non-public knowledge, the scammers effectively took benefit of other people’s interest. Mixed with a couple of sparkling (faux) critiques, it will have looked like an intriguing be offering.

CallPhantom review

In our investigation, we known two major clusters of those fraudulent apps.

The apps within the first cluster include hardcoded names, nation codes, and templates of their code, as proven in Determine 7. Those are blended with randomly generated telephone numbers and proven to the person as partial “effects”. To view the entire (faux) historical past, the sufferer has to pay.

The apps within the 2d cluster ask customers to go into an electronic mail deal with the place the “retrieved” name historical past would supposedly be delivered, as observed within the screenshots in Determine 8. No information era happens till after fee; customers need to pay or subscribe ahead of any electronic mail would supposedly be despatched.

On the whole, CallPhantom apps have a easy person interface and don’t request any intrusive or delicate permissions – they don’t want to. Coincidentally, they don’t include any capability in a position to retrieving actual name, SMS, or WhatsApp information.

Within the CallPhantom apps we analyzed, we noticed 3 other fee strategies used, the latter two of that are in violation of Google Play’s bills coverage.

First, one of the vital apps trusted subscriptions by the use of Google Play’s professional billing gadget. That is required of apps providing in-app purchases, according to Google Play’s bills coverage; such purchases are lined through Google’s refund coverage.

2nd, one of the vital apps trusted bills by the use of third-party apps that beef up UPI. For those third-party fee apps, CallPhantom apps both integrated hardcoded URLs or fetched the URLs dynamically from a Firebase realtime database, that means the fee account might be modified at any time through the operator.

3rd, in some circumstances, fee card checkout bureaucracy had been integrated immediately within the CallPhantom apps.

Examples of the fee strategies may also be observed in Determine 9.

In a single case, we noticed an extra tactic used to coax the person into paying: if the person exited the app with out fee, the app displayed misleading signals styled as new emails claiming that the decision historical past effects had arrived – see Determine 10. Clicking the notification led immediately to a subscription display.

The costs asked for the faux carrier range extensively around the apps. The apps additionally seem to provide other subscription programs, corresponding to weekly, per 30 days, or every year services and products, with the absolute best asked value sitting at US$80. For the bottom “subscription tier”, the common asked value used to be €5.

What to do in case you have been scammed

On the whole, subscriptions bought during the professional Google Play billing gadget may also be canceled within the Play Retailer app through tapping your profile icon, navigating to Bills & subscriptions → Subscriptions, settling on the lively subscription, and tapping Cancel subscription. Google explains the entire procedure on its Cancel, pause, or trade a subscription on Google Play web page.

For the 28 apps described on this blogpost, present subscriptions were canceled when the apps had been got rid of from Google Play.

In some circumstances, refunds for Google Play purchases are imaginable. Google might factor money back relying at the time since acquire, the kind of merchandise, and its refund coverage. On the whole, requests will have to be made throughout the allowed refund window as described on Google’s beef up web page.

If the acquisition used to be made out of doors Google Play – as an example, through coming into fee card main points throughout the app or through paying thru 1/3‑occasion services and products – then Google can not cancel the subscription or factor money back, and customers need to touch the fee supplier or the app developer immediately.

Conclusion

We known a brand new cluster of fraudulent Android apps on Google Play that jointly accumulated over 7.3 million downloads ahead of being taken down upon notification through ESET. Those apps, which we jointly named CallPhantom, falsely promise to retrieve name logs, SMS data, and WhatsApp name historical past for any telephone quantity, a technically not possible declare designed only to take advantage of other people’s interest and lie to them into paying.

Most of the apps circumvented Google Play’s professional billing gadget, pushing customers towards 1/3‑occasion bills or direct card access, complicating refund efforts and exposing sufferers to monetary chance.

Our research published that the “effects” proven to sufferers are solely fabricated, frequently the usage of hardcoded Indian numbers, predefined names, and generated timestamps disguised as actual conversation information.

Customers who subscribed by the use of professional Google Play billing is also eligible for refunds beneath Google’s refund insurance policies. Purchases made by the use of 1/3‑occasion fee apps or thru direct fee card access can’t be refunded through Google, leaving customers depending on exterior fee suppliers or builders.

For any inquiries about our analysis revealed on WeLiveSecurity, please touch us at threatintel@eset.com. 

ESET Analysis provides non-public APT intelligence reviews and knowledge feeds. For any inquiries about this carrier, consult with the ESET Risk Intelligence web page.

Analyzed CallPhantom apps

App identify	Bundle identify	Selection of downloads
Name historical past : any quantity deta	calldetaila.ndcallhisto.rytogetan.ynumber	3M+
Name Historical past of Any Quantity	com.pixelxinnovation.supervisor	1M+
Name Main points of Any Quantity	com.app.name.element.historical past	1M+
Name Historical past Any Quantity Element	sc.name.ofany.mobiledetail	500K+
Name Historical past Any Quantity Element	com.cddhaduk.callerid.block.touch	500K+
Name Historical past Of Any Quantity	com.basehistory.historydownloading	500K+
Name Historical past of Any Numbers	com.name.of.any.quantity	100K+
Name Historical past Of Any Quantity	com.rajni.callhistory	100K+
Name Historical past Any Quantity Element	com.callhistory.calldetails.callerids.callerhistory.callhostoryanynumber.getcall.history.callhistorymanager	100K+
Name Historical past Any Quantity Element	com.callinformative.instantcallhistorical past.callhistorybluethem.callinfo	100K+
Name Historical past Any Quantity element	com.name.element.caller.historical past	100K+
Name Historical past Any Quantity Element	com.anycallinformation.datadetailswho.callinfo.numberfinder	100K+
Name Historical past Any Quantity Element	com.callhistory.callhistoryyourgf	100K+
Name Historical past Any Quantity	com.calldetails.smshistory.callhistoryofanyquantity	50K+
Name Historical past Any Quantity Element	com.callhistory.anynumber.chapfvor.historical past	50K+
Name Historical past of Any Quantity	com.callhistory.callhistoryany.name	50K+
Name Historical past Any Quantity Element	com.identify.issue	50K+
Name Historical past Of Any Quantity	com.getanynumberofcallhistory.callhistoryofanynumber.findcalldetailsofanynumber	50K+
Name Historical past Of Any Quantity	com.chdev.callhistory	10K+
Telephone Name Historical past Tracker	com.telephone.name.historical past.tracker	10K+
Name Historical past- Any Quantity Deta	com.pdf.maker.pdfreader.pdfscanner	10K+
Name Historical past Of Any Quantity	com.any.numbers.calls.historical past	10K+
Name Historical past Any Quantity Element	com.callapp.historyero	1K+
Name Historical past – Any Quantity Information	all.callhistory.element	500+
Name Historical past For Any Quantity	com.easyranktools.callhistoryforanynumber	100+
Name Historical past of Numbers	com.sbpinfotech.findlocationofanynumber	100+
Name Historical past of Any Quantity	callhistoryeditor.callhistory.numberdetails.calleridlocator	50+
Name Historical past Professional	com.all_historydownload.anynumber.callhistorybackup	50+

IoCs

A complete listing of signs of compromise (IoCs) and samples may also be present in our GitHub repository.

Recordsdata

SHA-1	Filename	Detection	Description
799BB5127CA54239D3D4A14367DB3B712012CF14	all.callhistory.detail.apk	Android/CallPhantom.Okay	Android CallPhantom.
56A4FD71D1E4BBA2C5C240BE0D794DCFF709D9EB	calldetaila.ndcallhisto.rytogetan.ynumber.apk	Android/CallPhantom.M	Android CallPhantom.
EC5E470753E76614CD28ECF6A3591F08770B7215	callhistoryeditor.callhistory.numberdetails.calleridlocator.apk	Android/CallPhantom.F	Android CallPhantom.
77C8B7BEC79E7D9AE0D0C02DEC4E9AC510429AD8	com.all_historydownload.anynumber.callhistorybackup.apk	Android/CallPhantom.G	Android CallPhantom.
9484EFD4C19969F57AFB0C21E6E1A4249C209305	com.any.numbers.names.historical past.apk	Android/CallPhantom.L	Android CallPhantom.
CE97CA7FEECDCAFC6B8E9BD83A370DFA5C336C0A	com.anycallinformation.datadetailswho.callinfo.numberfinder.xapk	Android/CallPhantom.B	Android CallPhantom.
FC3BA2EDAC0BB9801F8535E36F0BCC49ADA5FA5A	com.app.name.element.historical past.apk	Android/CallPhantom.N	Android CallPhantom.
B7B80FA34A41E3259E377C0D843643FF736803B8	com.basehistory.historydownloading.xapk	Android/CallPhantom.O	Android CallPhantom.
F0A8EBD7C4179636BE752ECCFC6BD9E4CD5C7F2C	com.name.element.nameer.historical past.xapk	Android/CallPhantom.C	Android CallPhantom.
D021E7A0CF45EECC7EE8F57149138725DC77DC9A	com.name.of.any.number.apk	Android/CallPhantom.Q	Android CallPhantom.
04D2221967FFC4312AFDC9B06A0B923BF3579E93	com.callapp.historyero.apk	Android/CallPhantom.E	Android CallPhantom.
CB31ED027FADBFA3BFFDBC8A84EE1A48A0B7C11D	com.calldetails.smshistory.callhistoryofanynumber.apk	Android/CallPhantom.Q	Android CallPhantom.
C840A85B5FBAF1ED3E0F18A10A6520B337A94D4C	com.callhistory.anynumber.chapfvor.history.xapk	Android/CallPhantom.J	Android CallPhantom.
BB6260CA856C37885BF9E952CA3D7E95398DDABF	com.callhistory.namemain points.callerids.callerhistory.callhostoryanynumber.getcall.historical past.callhistorysupervisor.apk	Android/CallPhantom.S	Android CallPhantom.
55D46813047E98879901FD2416A23ACF8D8828F5	com.callhistory.namehistoryany.name.apk	Android/CallPhantom.T	Android CallPhantom.
E23D3905443CDBF4F1B9CA84A6FF250B6D89E093	com.callhistory.namehistoryyourgf.apk	Android/CallPhantom.D	Android CallPhantom.
89ECEC01CCB15FCDD2F64E07D0E876A9E79DD3CE	com.callinformative.instantcallhistory.callhistorybluethem.callinfo.xapk	Android/CallPhantom.B	Android CallPhantom.
8EC557302145B40FE0898105752FFF5E357D7AC9	com.cddhaduk.callerid.block.touch.xapk	Android/CallPhantom.U	Android CallPhantom.
6F72FF58A67EF7AAA79CE2342012326C7B46429D	com.easyranktools.callhistoryforanynumber.apk	Android/CallPhantom.H	Android CallPhantom.
28D3F36BD43D48F02C5058EDD1509E4488112154	com.getanynumberofcallhistory.callhistoryofanynumber.findcalldetailsofanynumber.xapk	Android/CallPhantom.D	Android CallPhantom.
47CEE9DED41B953A84FC9F6ED556EC3AF5BD9345	com.chdev.callhistory.xapk	Android/CallPhantom.V	Android CallPhantom.
9199A376B433F888AFE962C9BBD991622E8D39F9	com.identify.issue.apk	Android/CallPhantom.P	Android CallPhantom.
053A6A723FA2BFDA8A1B113E8A98DD04C6EEF72A	com.pdf.maker.pdfreader.pdfscanner.apk	Android/CallPhantom.W	Android CallPhantom.
4B537A7152179BBA19D63C9EF287F1AC366AB5CB	com.telephone.name.history.tracker.apk	Android/CallPhantom.I	Android CallPhantom.
87F6B2DB155192692BAD1F26F6AEBB04DBF23AAD	com.pixelxinnovation.supervisor.apk	Android/CallPhantom.X	Android CallPhantom.
583D0E7113795C7D68686D37CE7A41535CF56960	com.rajni.callhistory.apk	Android/CallPhantom.Y	Android CallPhantom.
45D04E06D8B329A01E680539D798DD3AE68904DA	com.sbpinfotech.to findlocationofanynumber.xapk	Android/CallPhantom.A	Android CallPhantom.
34393950A950F5651F3F7811B815B5A21F84A84B	sc.name.ofany.cellelement.apk	Android/CallPhantom.Z	Android CallPhantom.

Community

IP	Area	Internet hosting supplier	First observed	Main points
34.120.160[.]131	call-history-7cda4-default-rtdb.firebaseio[.]com call-history-ecc1e-default-rtdb.firebaseio[.]com	Google LLC	2025‑05‑14	CallPhantom C&C server.
34.120.206[.]254	ch-ap-4-default-rtdb.firebaseio[.]com chh1-ac0a3-default-rtdb.firebaseio[.]com	Google LLC	2025‑04‑17	CallPhantom C&C server.

MITRE ATT&CK ways

This desk used to be constructed the usage of model 18 of the MITRE ATT&CK framework.

Tactic	ID	Identify	Description
Command and Regulate	T1437.001	Software Layer Protocol: Internet Protocols	CallPhantom makes use of Firebase Cloud Messaging for C&C conversation.
Affect	T1643	Generate Site visitors from Sufferer	CallPhantom tries to succeed in fraudulent billing.