Fake Call History Apps on Google Play Steal Payments From 7.3M+ Users
Key Takeaways A family of 28 fraudulent Android applications, collectively named CallPhantom, duped over 7.3 million users into paying for fabricated call history data. These apps, now removed from...
Key Takeaways
- A family of 28 fraudulent Android applications, collectively named CallPhantom, duped over 7.3 million users into paying for fabricated call history data.
- These apps, now removed from Google Play, promised to reveal any phone number’s call history but delivered only fake information.
- Victims primarily in India and the Asia-Pacific region incurred financial losses through various payment methods, some of which bypassed Google’s refund mechanisms.
- The deception was deeply embedded, with pre-programmed fake data and aggressive tactics to pressure users into subscriptions ranging up to $80.
Widespread Android Scam “CallPhantom” Defrauds Millions
A sophisticated network of 28 deceptive Android applications, identified as CallPhantom, successfully amassed over 7.3 million downloads on the Google Play Store before their eventual removal. These applications lured users with the enticing, yet false, promise of providing comprehensive call histories for any phone number. Instead, they delivered entirely fabricated data while siphoning payments from unsuspecting individuals, as detailed in a recent security analysis.
Table Of Content
The scheme capitalized on human curiosity. Users seeking to uncover who had called a particular number were presented with what appeared to be partial call records. To access the “full” history, which was generated bogus data, users were then prompted to make a payment.
ESET Research Uncovers CallPhantom Operation
Researchers at WeLiveSecurity were instrumental in identifying and reporting these 28 malicious applications to Google. Their investigation revealed that the apps had collectively garnered more than 7.3 million downloads before Google took action to remove them following ESET’s disclosure in December 2025.
The primary target demographic for these applications was Android users in India and the broader Asia-Pacific region. Many of the apps featured India’s country code pre-selected and integrated support for UPI, a widely adopted payment system across India. The developers even included screenshots of the fabricated call history data within the apps’ Play Store listings, deceptively presenting them as genuine proof of functionality.
Deceptive Tactics and Payment Mechanisms
Despite superficial differences in their presentation, all 28 CallPhantom applications shared a common fraudulent core: generating fake communication data and coercing users into paying for access. Subscription tiers varied from weekly to yearly, with the most expensive option reaching $80.
The CallPhantom apps were categorized into two primary clusters based on their operational methods. The first group contained hardcoded names, country codes, and call log templates directly embedded within their application code. These pre-programmed elements were then combined with randomly generated phone numbers and displayed to users as tantalizing partial results, compelling them to pay for a complete, albeit fake, record.
The second cluster of applications required users to submit an email address, falsely claiming that the retrieved call history would be delivered to that inbox. No actual data was ever generated until after a payment was made, and even then, no legitimate information was ever dispatched. Crucially, these apps lacked any genuine capability to access call logs, SMS records, or WhatsApp data from any device.

This deep integration of fabricated data, including fixed names and timestamps, demonstrated a calculated effort to deceive users from the moment the app was installed.
The payment infrastructure employed by these apps involved three distinct methods. Some applications utilized Google Play’s official billing system. Others redirected users to third-party UPI applications, with payment details either hardcoded or dynamically fetched from a Firebase real-time database, allowing the operators to frequently change the receiving accounts. A third, more egregious method involved embedding payment card checkout forms directly within the app itself. This tactic circumvented Google Play’s payment policies and significantly complicated the process for victims seeking refunds.
Bypassing Refunds and Staying Under the Radar
A key strategy employed by CallPhantom operators was to direct users towards payment channels that Google could not easily reverse. When transactions were processed through external UPI applications or via direct card entry within the app, Google lacked the authority to cancel payments or issue refunds. This left victims entirely reliant on the third-party payment providers or, more often, the fraudulent developers themselves.

In at least one instance, the applications sent deceptive notifications disguised as email alerts, falsely claiming that call history results had arrived. Tapping these notifications would immediately lead the user to a subscription payment screen, maintaining pressure even if they had previously exited the app without purchasing.
What You Should Do
- Check for Refunds: If you subscribed through Google Play’s official billing system, you might be eligible for a refund, as subscriptions were canceled upon the apps’ removal. Submit a refund request within Google’s specified window.
- Dispute Charges: For purchases made outside of Google Play (e.g., via UPI or direct card entry), contact your payment provider or card issuer immediately to dispute the charges.
- Verify Developer Credibility: Before downloading any app, especially those promising access to sensitive or private information, thoroughly research the developer. Look for official websites, legitimate contact information, and a history of reputable applications.
- Read User Reviews Critically: Pay close attention to user reviews. Be wary of apps with generic positive reviews or those with a high number of negative reviews reporting similar issues (e.g., non-functional features, unexpected charges).
- Be Skeptical of Unrealistic Promises: Exercise extreme caution with applications that claim to provide access to private data belonging to other individuals (like call histories or private messages). Such claims are often indicative of a scam.
- Review App Permissions: Before installing, always review the permissions an app requests. If an app requests permissions that seem excessive or unrelated to its stated function, it could be a red flag.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-1 Hash | 799AA5127CA54239D3D4A14367DB3B712012CF14 | all.callhistory.detail.apk — Android/CallPhantom |
| SHA-1 Hash | 56A4FD71D1E4BBA2C5C240BE0D794DCFF709D9EB | calldetaila.ndcallhisto.rytogetan.ynumber.apk — Android/CallPhantom |
| SHA-1 Hash | EC5E470753E76614CD28ECF6A3591F08770B7215 | callhistoryeditor.callhistory.numberdetails.calleridlocator.apk — Android/CallPhantom |
| SHA-1 Hash | 77C8B7BEC79E7D9AE0D0C02DEC4E9AC510429AD8 | com.all_historydownload.anynumber.callhistorybackup.apk — Android/CallPhantom |
| SHA-1 Hash | 9484EFD4C19969F57AFB0C21E6E1A4249C209305 | com.any.numbers.calls.history.apk — Android/CallPhantom |
| SHA-1 Hash | CE97CA7FEECDCAFC6B8E9BD83A370DFA5C336C0A | com.anycallinformation.datadetailswho.callinfo.numberfinder.xapk — Android/CallPhantom |
| SHA-1 Hash | FC3BA2EDAC0BB9801F8535E36F0BCC49ADA5FA5A | com.app.call.detail.history.apk — Android/CallPhantom |
| SHA-1 Hash | B7B80FA34A41E3259E377C0D843643FF736803B8 | com.basehistory.historydownloading.xapk — Android/CallPhantom |
| SHA-1 Hash | F0A8EBD7C4179636BE752ECCFC6BD9E4CD5C7F2C | com.call.detail.caller.history.xapk — Android/CallPhantom |
| SHA-1 Hash | D021E7A0CF45EECC7EE8F57149138725DC77DC9A | com.call.of.any.number.apk — Android/CallPhantom |
| SHA-1 Hash | 04D2221967FFC4312AFDC9B06A0B923BF3579E93 | com.callapp.historyero.apk — Android/CallPhantom |
| SHA-1 Hash | CB31ED027FADBFA3BFFDBC8A84EE1A48A0B7C11D | com.calldetails.smshistory.callhistoryofanynumber.apk — Android/CallPhantom |
| SHA-1 Hash | C840A85B5FBAF1ED3E0F18A10A6520B337A94D4C | com.callhistory.anynumber.chapfvor.history.xapk — Android/CallPhantom |
| SHA-1 Hash | BB6260CA856C37885BF9E952CA3D7E95398DDABF | com.callhistory.calldetails.callerids…callhistorymanager.apk — Android/CallPhantom |
| SHA-1 Hash | 55D46813047E98879901FD2416A23ACF8D8828F5 | com.callhistory.callhistoryany.call.apk — Android/CallPhantom |
| SHA-1 Hash | E23D3905443CDBF4F1B9CA84A6FF250B6D89E093 | com.callhistory.callhistoryyourgf.apk — Android/CallPhantom |
| SHA-1 Hash | 89ECEC01CCB15FCDD2F64E07D0E876A9E79DD3CE | com.callinformative.instantcallhistory…callinfo.xapk — Android/CallPhantom |
| SHA-1 Hash | 8EC557302145B40FE0898105752FFF5E357D7AC9 | com.cddhaduk.callerid.block.contact.xapk — Android/CallPhantom |
| SHA-1 Hash | 6F72FF58A67EF7AAA79CE2342012326C7B46429D | com.easyranktools.callhistoryforanynumber.apk — Android/CallPhantom |
| SHA-1 Hash | 28D3F36BD43D48F02C5058EDD1509E4488112154 | com.getanynumberofcallhistory…findcalldetailsofanynumber.xapk — Android/CallPhantom |
| SHA-1 Hash | 47CEE9DED41B953A84FC9F6ED556EC3AF5BD9345 | com.chdev.callhistory.xapk — Android/CallPhantom |
| SHA-1 Hash | 9199A376B433F888AFE962C9BBD991622E8D39F9 | com.name.factor.apk — Android/CallPhantom |
| SHA-1 Hash | 053A6A723FA2BFDA8A1B113E8A98DD04C6EEF72A | com.pdf.maker.pdfreader.pdfscanner.apk — Android/CallPhantom |
| SHA-1 Hash | 4B537A7152179BBA19D63C9EF287F1AC366AB5CB | com.phone.call.history.tracker.apk — Android/CallPhantom |
| SHA-1 Hash | 87F6B2DB155192692BAD1F26F6AEBB04DBF23AAD | com.pixelxinnovation.manager.apk — Android/CallPhantom |
| SHA-1 Hash | 583D0E7113795C7D68686D37CE7A41535CF56960 | com.rajni.callhistory.apk — Android/CallPhantom |
| SHA-1 Hash | 45D04E06D8B329A01E680539D798DD3AE68904DA | com.sbpinfotech.findlocationofanynumber.xapk — Android/CallPhantom |
| SHA-1 Hash | 34393950A950F5651F3F7811B815B5A21F84A84B | sc.call.ofany.mobiledetail.apk — Android/CallPhantom |
| IP Address | 34.120.160[.]131 | Firebase-hosted C2 IP, Google LLC, first seen 2025 |
| IP Address | 34.120.206[.]254 | Firebase-hosted C2 IP, Google LLC, first seen 2025 |
| Domain | call-history-7cda4-default-rtdb.firebaseio[.]com | Firebase real-time database used for C2 communication |
| Domain | call-history-ecc1e-default-rtdb.firebaseio[.]com | Firebase real-time database used for C2 communication |
| Domain | ch-ap-4-default-rtdb.firebaseio[.]com | Firebase real-time database used for payment URL delivery |
| Domain | chh1-ac0a3-default-rtdb.firebaseio[.]com | Firebase real-time database used for payment URL delivery |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.