How CallPhantom tips Android customers

There’s an app for every little thing these days… proper? Properly, trying up name information for a cellphone variety of alternative is not a type of issues, as doubtlessly thousands and thousands of Android customers came upon after paying for app subscriptions promising simply that.

The offending apps, which we named CallPhantom based mostly on their false claims, purport to offer entry to name histories, SMS information, and even WhatsApp name logs for any cellphone quantity. To unlock this supposed function, customers are requested to pay – however all they get in return is randomly generated information.

Our investigation recognized 28 such fraudulent apps out there on the Google Play retailer, cumulatively downloaded greater than 7.3 million instances. As an App Protection Alliance companion, we reported our findings to Google, which eliminated the entire apps recognized on this report from Google Play.

Key factors of this blogpost:

• A brand new Android rip-off, CallPhantom, falsely claims to offer entry to name logs, SMS information, and WhatsApp name historical past for any cellphone quantity in trade for fee.
• We recognized and reported 28 CallPhantom apps on Google Play, cumulatively downloaded greater than 7.3 million instances.
• Some CallPhantom apps sidestep Google Play’s official billing system, complicating victims’ refund efforts.

Investigation

In November 2025, we got here throughout a Reddit publish discussing an app named Name Historical past of Any Quantity, discovered on Google Play. The app, proven in Determine 1, claims that it could actually retrieve the decision historical past of any cellphone quantity equipped by the person. It was revealed underneath the developer title Indian gov.in, however the app has no actual affiliation with the Indian authorities.

Unsurprisingly, our evaluation confirmed that the “name historical past” information offered by this app is fully fabricated – the app generates random cellphone numbers and matches them with mounted names, name instances, and name durations, which have been embedded instantly within the code, as proven in Determine 2. This pretend information is then introduced to victims – however solely after fee.

A screenshot of the fabricated name historical past information was even included within the app’s itemizing, introduced as an illustration of the app’s performance, as proven in Determine 3.

Additional analysis revealed extra, associated apps out there on the Play Retailer – 28 CallPhantom apps altogether. We reported the total set of fraudulent apps to Google on December 16^th, 2025. On the time of publication, all of the reported apps have been faraway from the shop.

Regardless of visible variations, which will be seen in Determine 4 and Determine 5, the aim of the apps is similar: generate pretend communication information and cost victims for entry. The desk within the Analyzed CallPhantom apps part lists every app together with its key particulars, together with the obtain rely.

Marketing campaign overview

The CallPhantom apps we discovered on Google Play primarily focused Android customers in India and the broader Asia‑Pacific area. Most of the apps got here with India’s +91 nation code preselected and assist UPI, a fee system used primarily in India.

The apps had garnered quite a few adverse evaluations, with victims reporting that they have been scammed and by no means obtained the promised information, as will be seen in Determine 6.

It isn’t clear how the apps have been distributed or promoted. Presumably, by seemingly providing perception into personal info, the scammers efficiently took benefit of individuals’s curiosity. Mixed with a number of glowing (pretend) evaluations, it may need appeared like an intriguing supply.

CallPhantom overview

In our investigation, we recognized two fundamental clusters of those fraudulent apps.

The apps within the first cluster comprise hardcoded names, nation codes, and templates of their code, as proven in Determine 7. These are mixed with randomly generated cellphone numbers and proven to the person as partial “outcomes”. To view the total (pretend) historical past, the sufferer has to pay.

The apps within the second cluster ask customers to enter an e mail handle the place the “retrieved” name historical past would supposedly be delivered, as seen within the screenshots in Determine 8. No information technology happens till after fee; customers must pay or subscribe earlier than any e mail would supposedly be despatched.

Typically, CallPhantom apps have a easy person interface and don’t request any intrusive or delicate permissions – they don’t have to. Coincidentally, they don’t comprise any performance able to retrieving actual name, SMS, or WhatsApp information.

Within the CallPhantom apps we analyzed, we noticed three totally different fee strategies used, the latter two of that are in violation of Google Play’s funds coverage.

First, a number of the apps relied on subscriptions through Google Play’s official billing system. That is required of apps providing in-app purchases, per Google Play’s funds coverage; such purchases are coated by Google’s refund safety.

Second, a number of the apps relied on funds through third-party apps that assist UPI. For these third-party fee apps, CallPhantom apps both included hardcoded URLs or fetched the URLs dynamically from a Firebase realtime database, that means the fee account might be modified at any time by the operator.

Third, in some instances, fee card checkout types have been included instantly within the CallPhantom apps.

Examples of the fee strategies will be seen in Determine 9.

In a single case, we noticed an extra tactic used to coax the person into paying: if the person exited the app with out fee, the app displayed misleading alerts styled as new emails claiming that the decision historical past outcomes had arrived – see Determine 10. Clicking the notification led straight to a subscription display.

The charges requested for the pretend service differ extensively throughout the apps. The apps additionally seem to supply totally different subscription packages, akin to weekly, month-to-month, or yearly providers, with the very best requested value sitting at US$80. For the bottom “subscription tier”, the common requested value was €5.

What to do you probably have been scammed

Typically, subscriptions bought by means of the official Google Play billing system will be canceled within the Play Retailer app by tapping your profile icon, navigating to Funds & subscriptions → Subscriptions, choosing the lively subscription, and tapping Cancel subscription. Google explains the total course of on its Cancel, pause, or change a subscription on Google Play web page.

For the 28 apps described on this blogpost, present subscriptions have been canceled when the apps have been faraway from Google Play.

In some instances, refunds for Google Play purchases are potential. Google could problem a refund relying on the time since buy, the kind of merchandise, and its refund coverage. Typically, requests have to be made inside the allowed refund window as described on Google’s assist web page.

If the acquisition was made exterior Google Play – for instance, by getting into fee card particulars contained in the app or by paying by means of third‑get together providers – then Google can not cancel the subscription or problem a refund, and customers must contact the fee supplier or the app developer instantly.

Conclusion

We recognized a brand new cluster of fraudulent Android apps on Google Play that collectively amassed over 7.3 million downloads earlier than being taken down upon notification by ESET. These apps, which we collectively named CallPhantom, falsely promise to retrieve name logs, SMS information, and WhatsApp name historical past for any cellphone quantity, a technically not possible declare designed solely to take advantage of folks’s curiosity and mislead them into paying.

Most of the apps circumvented Google Play’s official billing system, pushing customers towards third‑get together funds or direct card entry, complicating refund efforts and exposing victims to monetary threat.

Our evaluation revealed that the “outcomes” proven to victims are fully fabricated, typically utilizing hardcoded Indian numbers, predefined names, and generated timestamps disguised as actual communication information.

Customers who subscribed through official Google Play billing could also be eligible for refunds underneath Google’s refund insurance policies. Purchases made through third‑get together fee apps or by means of direct fee card entry can’t be refunded by Google, leaving customers depending on exterior fee suppliers or builders.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Analysis gives personal APT intelligence reviews and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.

Analyzed CallPhantom apps

A complete record of indicators of compromise (IoCs) and samples will be present in our GitHub repository.

Information

SHA-1	Filename	Detection	Description
799BB5127CA54239D3D4A14367DB3B712012CF14	all.callhistory.detail.apk	Android/CallPhantom.Okay	Android CallPhantom.
56A4FD71D1E4BBA2C5C240BE0D794DCFF709D9EB	calldetaila.ndcallhisto.rytogetan.ynumber.apk	Android/CallPhantom.M	Android CallPhantom.
EC5E470753E76614CD28ECF6A3591F08770B7215	callhistoryeditor.callhistory.numberdetails.calleridlocator.apk	Android/CallPhantom.F	Android CallPhantom.
77C8B7BEC79E7D9AE0D0C02DEC4E9AC510429AD8	com.all_historydownload.anynumber.callhistorybackup.apk	Android/CallPhantom.G	Android CallPhantom.
9484EFD4C19969F57AFB0C21E6E1A4249C209305	com.any.numbers.names.historical past.apk	Android/CallPhantom.L	Android CallPhantom.
CE97CA7FEECDCAFC6B8E9BD83A370DFA5C336C0A	com.anycallinformation.datadetailswho.callinfo.numberfinder.xapk	Android/CallPhantom.B	Android CallPhantom.
FC3BA2EDAC0BB9801F8535E36F0BCC49ADA5FA5A	com.app.name.element.historical past.apk	Android/CallPhantom.N	Android CallPhantom.
B7B80FA34A41E3259E377C0D843643FF736803B8	com.basehistory.historydownloading.xapk	Android/CallPhantom.O	Android CallPhantom.
F0A8EBD7C4179636BE752ECCFC6BD9E4CD5C7F2C	com.name.element.nameer.historical past.xapk	Android/CallPhantom.C	Android CallPhantom.
D021E7A0CF45EECC7EE8F57149138725DC77DC9A	com.name.of.any.number.apk	Android/CallPhantom.Q	Android CallPhantom.
04D2221967FFC4312AFDC9B06A0B923BF3579E93	com.callapp.historyero.apk	Android/CallPhantom.E	Android CallPhantom.
CB31ED027FADBFA3BFFDBC8A84EE1A48A0B7C11D	com.calldetails.smshistory.callhistoryofanynumber.apk	Android/CallPhantom.Q	Android CallPhantom.
C840A85B5FBAF1ED3E0F18A10A6520B337A94D4C	com.callhistory.anynumber.chapfvor.history.xapk	Android/CallPhantom.J	Android CallPhantom.
BB6260CA856C37885BF9E952CA3D7E95398DDABF	com.callhistory.nameparticulars.callerids.callerhistory.callhostoryanynumber.getcall.historical past.callhistorysupervisor.apk	Android/CallPhantom.S	Android CallPhantom.
55D46813047E98879901FD2416A23ACF8D8828F5	com.callhistory.namehistoryany.name.apk	Android/CallPhantom.T	Android CallPhantom.
E23D3905443CDBF4F1B9CA84A6FF250B6D89E093	com.callhistory.namehistoryyourgf.apk	Android/CallPhantom.D	Android CallPhantom.
89ECEC01CCB15FCDD2F64E07D0E876A9E79DD3CE	com.callinformative.instantcallhistory.callhistorybluethem.callinfo.xapk	Android/CallPhantom.B	Android CallPhantom.
8EC557302145B40FE0898105752FFF5E357D7AC9	com.cddhaduk.callerid.block.contact.xapk	Android/CallPhantom.U	Android CallPhantom.
6F72FF58A67EF7AAA79CE2342012326C7B46429D	com.easyranktools.callhistoryforanynumber.apk	Android/CallPhantom.H	Android CallPhantom.
28D3F36BD43D48F02C5058EDD1509E4488112154	com.getanynumberofcallhistory.callhistoryofanynumber.findcalldetailsofanynumber.xapk	Android/CallPhantom.D	Android CallPhantom.
47CEE9DED41B953A84FC9F6ED556EC3AF5BD9345	com.chdev.callhistory.xapk	Android/CallPhantom.V	Android CallPhantom.
9199A376B433F888AFE962C9BBD991622E8D39F9	com.title.issue.apk	Android/CallPhantom.P	Android CallPhantom.
053A6A723FA2BFDA8A1B113E8A98DD04C6EEF72A	com.pdf.maker.pdfreader.pdfscanner.apk	Android/CallPhantom.W	Android CallPhantom.
4B537A7152179BBA19D63C9EF287F1AC366AB5CB	com.cellphone.name.history.tracker.apk	Android/CallPhantom.I	Android CallPhantom.
87F6B2DB155192692BAD1F26F6AEBB04DBF23AAD	com.pixelxinnovation.supervisor.apk	Android/CallPhantom.X	Android CallPhantom.
583D0E7113795C7D68686D37CE7A41535CF56960	com.rajni.callhistory.apk	Android/CallPhantom.Y	Android CallPhantom.
45D04E06D8B329A01E680539D798DD3AE68904DA	com.sbpinfotech.discoverlocationofanynumber.xapk	Android/CallPhantom.A	Android CallPhantom.
34393950A950F5651F3F7811B815B5A21F84A84B	sc.name.ofany.cellularelement.apk	Android/CallPhantom.Z	Android CallPhantom.

Community

MITRE ATT&CK methods

This desk was constructed utilizing model 18 of the MITRE ATT&CK framework.