Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

Cybersecurity researchers have identified a series of fraudulent applications on the Google Play Store that misled users by claiming to provide access to call histories for any phone number. These apps tricked users into subscribing to services that only delivered fake data, resulting in financial losses. Collectively, these 28 apps amassed over 7.3 million downloads before being removed from the store. The fraudulent activity, dubbed CallPhantom by ESET, primarily targeted Android users in India and the Asia-Pacific region. The apps falsely promised access to call histories, SMS records, and WhatsApp call logs for any phone number. Users were required to pay to unlock these features, but instead received randomly generated data. The apps were cleverly named to suggest legitimacy, and one was even published under the developer name "Indian gov.in" to create a false sense of trust among users. The fraudulent apps exploited users by prompting them to enter their email addresses, promising to send call and SMS history details after payment. Payments were processed through Google Play Store subscriptions, third-party apps like Google Pay, PhonePe, and Paytm, or directly via payment card forms within the apps. The latter two methods violated Google's policies, further highlighting the deceptive nature of these apps. Some apps employed additional tactics to coerce payments, such as displaying fake notifications claiming that call histories had been sent to users' email addresses. Clicking these notifications redirected users to subscription screens. Subscription costs varied, ranging from $6 to $80, and users were encouraged to cancel subscriptions after the apps were removed from the Play Store. Despite their fraudulent nature, the apps featured simple user interfaces and did not request sensitive permissions. They lacked the functionality to access call, SMS, or WhatsApp data, making their claims entirely baseless. ESET noted that users who subscribed via Google Play billing might be eligible for refunds, but those who used third-party payment methods would need to seek refunds from external providers. This disclosure coincides with another fraud campaign identified by Group-IB, which involved bad actors stealing approximately $2 million from Indonesian users by posing as the country's tax platform and other trusted brands. This campaign, linked to a threat cluster called GoldFactory, began in July 2025 and utilized phishing websites, social engineering, and malicious APK sideloading to compromise devices and execute unauthorized transfers. The attacks leveraged social engineering tactics to distribute fake apps via WhatsApp, which, once installed, deployed Android malware capable of harvesting sensitive data. This information was then used for account takeover attacks and financial theft. The malware infrastructure supporting this campaign targeted over 16 trusted brands, affecting Indonesia's broader population of around 287 million people. In conclusion, these fraudulent activities highlight the ongoing threat of cybercrime and the importance of vigilance when downloading apps. Users are encouraged to verify app legitimacy, be cautious of unsolicited requests for payment, and report suspicious apps to prevent further exploitation.