Fake call logs, real payments: How CallPhantom tricks Android users
CallPhantom is a collection of 28 fraudulent Android apps discovered on Google Play that falsely promise call logs, SMS records, and WhatsApp histories for any phone number. These apps were downloaded over 7. 3 million times before removal and primarily targeted users in India and the Asia-Pacific region. They display fabricated communication data generated from hardcoded names and random numbers only after users pay subscription fees ranging from €5 to $80. The scam uses three payment methods, including bypassing Google Play's billing system via third-party UPI payments or direct card entry, complicating refund processes. The apps exploit user curiosity about private communication data but deliver no real information, constituting a subscription fraud scheme. There is no indication of malware infection or data theft beyond the fraudulent payments. No official patch or remediation is applicable since the apps have been removed from Google Play.
AI Analysis
Technical Summary
ESET researchers identified 28 fraudulent Android applications named CallPhantom on Google Play that claim to provide call histories, SMS, and WhatsApp logs for any phone number. These apps generate fake data using hardcoded names and random phone numbers, showing this fabricated information only after users pay for subscriptions. The payment methods include Google Play billing, third-party UPI payments, and direct card entry, with some methods circumventing Google Play's official system, making refunds difficult. The apps were downloaded over 7.3 million times, mainly targeting users in India and the Asia-Pacific region. The scam leverages user interest in private communication data to extract payments for worthless services. The apps have since been removed from Google Play, and no exploits or malware infections are reported.
Potential Impact
Users who installed these fraudulent apps and paid for subscriptions were charged between €5 and $80 for fabricated call and message logs that have no real data value. The scam results in financial loss and difficulty obtaining refunds, especially when payments bypass Google Play's official billing system. There is no evidence of device compromise, data theft, or malware infection. The primary impact is monetary fraud targeting Android users, predominantly in India and the Asia-Pacific region.
Mitigation Recommendations
The fraudulent CallPhantom apps have been removed from Google Play, effectively mitigating further distribution through this channel. Users should uninstall any versions of these apps if still present on their devices. Since some payment methods bypass Google Play's billing system, affected users may need to contact their payment providers or banks to dispute unauthorized charges. No official patch or update is applicable as this is a fraud scheme rather than a software vulnerability. Users should avoid installing apps promising private communication data and rely only on trusted sources.
Affected Countries
India
Indicators of Compromise
- hash: 04d2221967ffc4312afdc9b06a0b923bf3579e93
- hash: 053a6a723fa2bfda8a1b113e8a98dd04c6eef72a
- hash: 28d3f36bd43d48f02c5058edd1509e4488112154
- hash: 34393950a950f5651f3f7811b815b5a21f84a84b
- hash: 45d04e06d8b329a01e680539d798dd3ae68904da
- hash: 47cee9ded41b953a84fc9f6ed556ec3af5bd9345
- hash: 4b537a7152179bba19d63c9ef287f1ac366ab5cb
- hash: 55d46813047e98879901fd2416a23acf8d8828f5
- hash: 56a4fd71d1e4bba2c5c240be0d794dcff709d9eb
- hash: 583d0e7113795c7d68686d37ce7a41535cf56960
- hash: 6f72ff58a67ef7aaa79ce2342012326c7b46429d
- hash: 77c8b7bec79e7d9ae0d0c02dec4e9ac510429ad8
- hash: 799bb5127ca54239d3d4a14367db3b712012cf14
- hash: 87f6b2db155192692bad1f26f6aebb04dbf23aad
- hash: 89ecec01ccb15fcdd2f64e07d0e876a9e79dd3ce
- hash: 8ec557302145b40fe0898105752fff5e357d7ac9
- hash: 9199a376b433f888afe962c9bbd991622e8d39f9
- hash: 9484efd4c19969f57afb0c21e6e1a4249c209305
- hash: b7b80fa34a41e3259e377c0d843643ff736803b8
- hash: bb6260ca856c37885bf9e952ca3d7e95398ddabf
- hash: c840a85b5fbaf1ed3e0f18a10a6520b337a94d4c
- hash: cb31ed027fadbfa3bffdbc8a84ee1a48a0b7c11d
- hash: ce97ca7feecdcafc6b8e9bd83a370dfa5c336c0a
- hash: d021e7a0cf45eecc7ee8f57149138725dc77dc9a
- hash: e23d3905443cdbf4f1b9ca84a6ff250b6d89e093
- hash: ec5e470753e76614cd28ecf6a3591f08770b7215
- hash: f0a8ebd7c4179636be752eccfc6bd9e4cd5c7f2c
- hash: fc3ba2edac0bb9801f8535e36f0bcc49ada5fa5a
Fake call logs, real payments: How CallPhantom tricks Android users
Description
CallPhantom is a collection of 28 fraudulent Android apps discovered on Google Play that falsely promise call logs, SMS records, and WhatsApp histories for any phone number. These apps were downloaded over 7. 3 million times before removal and primarily targeted users in India and the Asia-Pacific region. They display fabricated communication data generated from hardcoded names and random numbers only after users pay subscription fees ranging from €5 to $80. The scam uses three payment methods, including bypassing Google Play's billing system via third-party UPI payments or direct card entry, complicating refund processes. The apps exploit user curiosity about private communication data but deliver no real information, constituting a subscription fraud scheme. There is no indication of malware infection or data theft beyond the fraudulent payments. No official patch or remediation is applicable since the apps have been removed from Google Play.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ESET researchers identified 28 fraudulent Android applications named CallPhantom on Google Play that claim to provide call histories, SMS, and WhatsApp logs for any phone number. These apps generate fake data using hardcoded names and random phone numbers, showing this fabricated information only after users pay for subscriptions. The payment methods include Google Play billing, third-party UPI payments, and direct card entry, with some methods circumventing Google Play's official system, making refunds difficult. The apps were downloaded over 7.3 million times, mainly targeting users in India and the Asia-Pacific region. The scam leverages user interest in private communication data to extract payments for worthless services. The apps have since been removed from Google Play, and no exploits or malware infections are reported.
Potential Impact
Users who installed these fraudulent apps and paid for subscriptions were charged between €5 and $80 for fabricated call and message logs that have no real data value. The scam results in financial loss and difficulty obtaining refunds, especially when payments bypass Google Play's official billing system. There is no evidence of device compromise, data theft, or malware infection. The primary impact is monetary fraud targeting Android users, predominantly in India and the Asia-Pacific region.
Mitigation Recommendations
The fraudulent CallPhantom apps have been removed from Google Play, effectively mitigating further distribution through this channel. Users should uninstall any versions of these apps if still present on their devices. Since some payment methods bypass Google Play's billing system, affected users may need to contact their payment providers or banks to dispute unauthorized charges. No official patch or update is applicable as this is a fraud scheme rather than a software vulnerability. Users should avoid installing apps promising private communication data and rely only on trusted sources.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/"]
- Adversary
- null
- Pulse Id
- 69fcc63f67fc5f79f089ed5c
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash04d2221967ffc4312afdc9b06a0b923bf3579e93 | — | |
hash053a6a723fa2bfda8a1b113e8a98dd04c6eef72a | — | |
hash28d3f36bd43d48f02c5058edd1509e4488112154 | — | |
hash34393950a950f5651f3f7811b815b5a21f84a84b | — | |
hash45d04e06d8b329a01e680539d798dd3ae68904da | — | |
hash47cee9ded41b953a84fc9f6ed556ec3af5bd9345 | — | |
hash4b537a7152179bba19d63c9ef287f1ac366ab5cb | — | |
hash55d46813047e98879901fd2416a23acf8d8828f5 | — | |
hash56a4fd71d1e4bba2c5c240be0d794dcff709d9eb | — | |
hash583d0e7113795c7d68686d37ce7a41535cf56960 | — | |
hash6f72ff58a67ef7aaa79ce2342012326c7b46429d | — | |
hash77c8b7bec79e7d9ae0d0c02dec4e9ac510429ad8 | — | |
hash799bb5127ca54239d3d4a14367db3b712012cf14 | — | |
hash87f6b2db155192692bad1f26f6aebb04dbf23aad | — | |
hash89ecec01ccb15fcdd2f64e07d0e876a9e79dd3ce | — | |
hash8ec557302145b40fe0898105752fff5e357d7ac9 | — | |
hash9199a376b433f888afe962c9bbd991622e8d39f9 | — | |
hash9484efd4c19969f57afb0c21e6e1a4249c209305 | — | |
hashb7b80fa34a41e3259e377c0d843643ff736803b8 | — | |
hashbb6260ca856c37885bf9e952ca3d7e95398ddabf | — | |
hashc840a85b5fbaf1ed3e0f18a10a6520b337a94d4c | — | |
hashcb31ed027fadbfa3bffdbc8a84ee1a48a0b7c11d | — | |
hashce97ca7feecdcafc6b8e9bd83a370dfa5c336c0a | — | |
hashd021e7a0cf45eecc7ee8f57149138725dc77dc9a | — | |
hashe23d3905443cdbf4f1b9ca84a6ff250b6d89e093 | — | |
hashec5e470753e76614cd28ecf6a3591f08770b7215 | — | |
hashf0a8ebd7c4179636be752eccfc6bd9e4cd5c7f2c | — | |
hashfc3ba2edac0bb9801f8535e36f0bcc49ada5fa5a | — |
Threat ID: 69fda78fcbff5d8610b56231
Added to database: 5/8/2026, 9:06:23 AM
Last enriched: 5/8/2026, 9:21:28 AM
Last updated: 5/8/2026, 1:40:38 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.