ESET researchers have identified 28 fraudulent Android applications on Google Play that collectively accumulated more than 7.3 million downloads before being removed, in a scam the cybersecurity firm has named CallPhantom.

The apps falsely claimed to provide users with access to call logs, SMS records, and WhatsApp call history for any phone number. Upon payment, users received only randomly generated data — fabricated numbers matched with fixed names, call times, and durations embedded directly in the app’s code.

How the Scam Operated

ESET’s investigation found three distinct payment methods used across the 28 apps, two of which violated Google Play‘s payments policy. Some apps used Google Play’s official billing system, while others directed users to third-party payment providers or embedded payment card checkout forms directly within the application — making refunds significantly more difficult to obtain.

Subscription pricing varied widely across the apps, with packages offered on weekly, monthly, or yearly terms. The highest price encountered was US$80, while the average entry-level subscription cost approximately €5.

ESET researcher Lukáš Štefanko, who uncovered the fraud, noted that the apps requested no intrusive permissions and contained no functionality capable of actually retrieving call, SMS, or WhatsApp data. The illusion of legitimacy relied entirely on fabricated output.

India the Primary Target; Apps Now Removed

The CallPhantom apps were primarily targeted at Android users in India, with many pre-selecting India’s +91 country code and supporting UPI as a payment method. ESET found that 53.7% of all CallPhantom detections worldwide originated in India.

As a member of the App Defense Alliance, ESET reported its findings to Google, which has since removed all identified apps from Google Play. Users who purchased subscriptions through Google Play’s official system had their subscriptions cancelled upon removal, with refunds available in some cases. Those who paid via third-party methods must seek recourse directly from their payment provider.