Inside ‘CallPhantom’: Unmasking the Sophisticated Subscription Scams Targeting Android Users

A massive coordinated campaign of fraudulent utilities has been uncovered on the Google Play Store, where 28 deceptive applications—collectively amassing over 7.3 million installs—have been exposed as sophisticated subscription scams.

Operating under the moniker “CallPhantom,” these apps use social engineering to trick users into paying for fabricated telecommunications data that is technically impossible to retrieve.

The scam relies on an impossible value proposition: promising users granular access to call histories, SMS logs, and even WhatsApp communication records for any arbitrary phone number. To add a layer of unearned authority, some developers employed deceptive branding; for instance, one app titled “Call History of Any Number” masqueraded under the developer name “Indian gov.in,” falsely implying official government sanction.

The typical user journey begins with a simple interface where the victim enters a target phone number. The app then presents a “loading” state, eventually locking the supposed data behind a paywall. These paywalls are structured as recurring weekly, monthly, or annual subscriptions designed to drain user funds over time.

The Technical Illusion: How Fabricated Logs are Generated

Security researchers at ESET performed a deep dive into the application logic and discovered that these apps possess no actual integration with telecommunications infrastructure. From a technical standpoint, the apps do not even request the standard Android permissions required to read local device logs or SMS databases, meaning they are incapable of seeing any legitimate data on the user’s own device, let alone a remote one.

The “results” displayed to users are nothing more than a digital sleight of hand. ESET’s analysis identified two primary methods of data fabrication:

  • Template-Driven Generation: One cluster of apps utilizes hardcoded arrays containing randomized names, country codes, and timestamps. When a user enters a number, the app’s logic engine combines these static elements with a random number generator to create “sample” records. These partial logs are shown for free to build trust before prompting for payment to “unlock” the full list.
  • Post-Payment Fabrication: A second cluster employs a “promise-and-deliver” model. The app collects a user’s email address and promises a full report via email. However, the generation of the fabricated log is programmatically triggered only after a successful transaction is confirmed.
CallPhantom requests the user’s email address where call logs would supposedly be delivered (Source : ESET).
CallPhantom prompts users for email addresses, creating a false sense of a formal delivery process. (Source : ESET).

To maximize conversion rates, some variants utilize “dark patterns” in the form of fake system notifications. If a user attempts to exit the app without subscribing, the software triggers notifications styled to look like legitimate system alerts or new emails, claiming a report is ready, which redirects the user straight back to the subscription screen.

Call History of Any Number app on Google Play (Source : ESET).
The deceptive interface of the “Call History of Any Number” app. (Source : ESET).

Bypassing Protections: The Three Payment Pathways

The CallPhantom campaign is particularly insidious due to its varied approach to financial exfiltration. While some apps adhered to Google Play’s standard billing protocols, others actively sought to bypass the platform’s security and refund mechanisms.

  1. Standard Google Play Billing: These apps use the official API, allowing users to manage or cancel subscriptions through their Google account.
  2. Third-Party UPI Redirection: Targeting the Asia-Pacific region, particularly India, these apps direct users to external Unified Payments Interface (UPI) apps. To evade detection, the developers used a Firebase Realtime Database to remotely host and rotate receiving account URLs, allowing them to change where the money is sent in real-time.
  3. Direct Card Injection: The most high-risk variant embeds custom credit card forms directly within the app interface. This bypasses Google’s revenue-sharing model entirely and leaves users with almost no recourse if their financial data is compromised.
CallPhantom apps found on the Play Store (Source : ESET).
A snapshot of the CallPhantom ecosystem found on the Play Store. (Source : ESET).

Remediation and Victim Guidance

Following the report by ESET, Google has removed all 28 identified applications and cancelled associated Play-billing subscriptions. However, the path to recovery depends heavily on how the transaction was processed:

  • If paid via Google Play: Users should immediately visit their Google Play subscription management page to request a refund through official channels.
  • If paid via UPI or Direct Card Entry: Google cannot facilitate refunds for off-platform transactions. Victims must contact their banking institution, credit card issuer, or UPI service provider immediately to report fraudulent activity and potentially initiate a chargeback.

The Bottom Line: No legitimate consumer application has the technical or legal authority to access the private call or SMS logs of a third-party phone number. Any app claiming to do so should be treated as a high-risk security threat and avoided entirely.

Related Articles

Back to top button