Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Gemini CLI Vulnerability Lets Attackers Build Botnets in Minutes
July 15, 2026
US Charges Two Bulletproof Hosting Firms for Aiding Cybercrime
July 15, 2026
Critical Dell PowerProtect flaws let attackers gain full system access
July 15, 2026
Home/Threats/Fake Call History Apps on Google Play Steal Payments From 7.3M+ Users
Threats

Fake Call History Apps on Google Play Steal Payments From 7.3M+ Users

Key Takeaways A family of 28 fraudulent Android applications, collectively named CallPhantom, duped over 7.3 million users into paying for fabricated call history data. These apps, now removed from...

Marcus Rodriguez
Marcus Rodriguez
May 7, 2026 5 Min Read
65 0

Key Takeaways

  • A family of 28 fraudulent Android applications, collectively named CallPhantom, duped over 7.3 million users into paying for fabricated call history data.
  • These apps, now removed from Google Play, promised to reveal any phone number’s call history but delivered only fake information.
  • Victims primarily in India and the Asia-Pacific region incurred financial losses through various payment methods, some of which bypassed Google’s refund mechanisms.
  • The deception was deeply embedded, with pre-programmed fake data and aggressive tactics to pressure users into subscriptions ranging up to $80.

Widespread Android Scam “CallPhantom” Defrauds Millions

A sophisticated network of 28 deceptive Android applications, identified as CallPhantom, successfully amassed over 7.3 million downloads on the Google Play Store before their eventual removal. These applications lured users with the enticing, yet false, promise of providing comprehensive call histories for any phone number. Instead, they delivered entirely fabricated data while siphoning payments from unsuspecting individuals, as detailed in a recent security analysis.

Table Of Content

  • Key Takeaways
  • Widespread Android Scam “CallPhantom” Defrauds Millions
  • ESET Research Uncovers CallPhantom Operation
  • Deceptive Tactics and Payment Mechanisms
  • Bypassing Refunds and Staying Under the Radar
  • What You Should Do

The scheme capitalized on human curiosity. Users seeking to uncover who had called a particular number were presented with what appeared to be partial call records. To access the “full” history, which was generated bogus data, users were then prompted to make a payment.

ESET Research Uncovers CallPhantom Operation

Researchers at WeLiveSecurity were instrumental in identifying and reporting these 28 malicious applications to Google. Their investigation revealed that the apps had collectively garnered more than 7.3 million downloads before Google took action to remove them following ESET’s disclosure in December 2025.

The primary target demographic for these applications was Android users in India and the broader Asia-Pacific region. Many of the apps featured India’s country code pre-selected and integrated support for UPI, a widely adopted payment system across India. The developers even included screenshots of the fabricated call history data within the apps’ Play Store listings, deceptively presenting them as genuine proof of functionality.

Deceptive Tactics and Payment Mechanisms

Despite superficial differences in their presentation, all 28 CallPhantom applications shared a common fraudulent core: generating fake communication data and coercing users into paying for access. Subscription tiers varied from weekly to yearly, with the most expensive option reaching $80.

The CallPhantom apps were categorized into two primary clusters based on their operational methods. The first group contained hardcoded names, country codes, and call log templates directly embedded within their application code. These pre-programmed elements were then combined with randomly generated phone numbers and displayed to users as tantalizing partial results, compelling them to pay for a complete, albeit fake, record.

The second cluster of applications required users to submit an email address, falsely claiming that the retrieved call history would be delivered to that inbox. No actual data was ever generated until after a payment was made, and even then, no legitimate information was ever dispatched. Crucially, these apps lacked any genuine capability to access call logs, SMS records, or WhatsApp data from any device.

Hardcoded call log data used by the app (Source - Welivesecurity)
Hardcoded call log data used by the app (Source – Welivesecurity)

This deep integration of fabricated data, including fixed names and timestamps, demonstrated a calculated effort to deceive users from the moment the app was installed.

The payment infrastructure employed by these apps involved three distinct methods. Some applications utilized Google Play’s official billing system. Others redirected users to third-party UPI applications, with payment details either hardcoded or dynamically fetched from a Firebase real-time database, allowing the operators to frequently change the receiving accounts. A third, more egregious method involved embedding payment card checkout forms directly within the app itself. This tactic circumvented Google Play’s payment policies and significantly complicated the process for victims seeking refunds.

Bypassing Refunds and Staying Under the Radar

A key strategy employed by CallPhantom operators was to direct users towards payment channels that Google could not easily reverse. When transactions were processed through external UPI applications or via direct card entry within the app, Google lacked the authority to cancel payments or issue refunds. This left victims entirely reliant on the third-party payment providers or, more often, the fraudulent developers themselves.

Google Play seemingly demonstrating the fraudulent app’s functionality (Source - Welivesecurity)
Google Play seemingly demonstrating the fraudulent app’s functionality (Source – Welivesecurity)

In at least one instance, the applications sent deceptive notifications disguised as email alerts, falsely claiming that call history results had arrived. Tapping these notifications would immediately lead the user to a subscription payment screen, maintaining pressure even if they had previously exited the app without purchasing.

What You Should Do

  • Check for Refunds: If you subscribed through Google Play’s official billing system, you might be eligible for a refund, as subscriptions were canceled upon the apps’ removal. Submit a refund request within Google’s specified window.
  • Dispute Charges: For purchases made outside of Google Play (e.g., via UPI or direct card entry), contact your payment provider or card issuer immediately to dispute the charges.
  • Verify Developer Credibility: Before downloading any app, especially those promising access to sensitive or private information, thoroughly research the developer. Look for official websites, legitimate contact information, and a history of reputable applications.
  • Read User Reviews Critically: Pay close attention to user reviews. Be wary of apps with generic positive reviews or those with a high number of negative reviews reporting similar issues (e.g., non-functional features, unexpected charges).
  • Be Skeptical of Unrealistic Promises: Exercise extreme caution with applications that claim to provide access to private data belonging to other individuals (like call histories or private messages). Such claims are often indicative of a scam.
  • Review App Permissions: Before installing, always review the permissions an app requests. If an app requests permissions that seem excessive or unrelated to its stated function, it could be a red flag.

Indicators of Compromise (IoCs):-

Type Indicator Description
SHA-1 Hash 799AA5127CA54239D3D4A14367DB3B712012CF14 all.callhistory.detail.apk — Android/CallPhantom
SHA-1 Hash 56A4FD71D1E4BBA2C5C240BE0D794DCFF709D9EB calldetaila.ndcallhisto.rytogetan.ynumber.apk — Android/CallPhantom
SHA-1 Hash EC5E470753E76614CD28ECF6A3591F08770B7215 callhistoryeditor.callhistory.numberdetails.calleridlocator.apk — Android/CallPhantom
SHA-1 Hash 77C8B7BEC79E7D9AE0D0C02DEC4E9AC510429AD8 com.all_historydownload.anynumber.callhistorybackup.apk — Android/CallPhantom
SHA-1 Hash 9484EFD4C19969F57AFB0C21E6E1A4249C209305 com.any.numbers.calls.history.apk — Android/CallPhantom
SHA-1 Hash CE97CA7FEECDCAFC6B8E9BD83A370DFA5C336C0A com.anycallinformation.datadetailswho.callinfo.numberfinder.xapk — Android/CallPhantom
SHA-1 Hash FC3BA2EDAC0BB9801F8535E36F0BCC49ADA5FA5A com.app.call.detail.history.apk — Android/CallPhantom
SHA-1 Hash B7B80FA34A41E3259E377C0D843643FF736803B8 com.basehistory.historydownloading.xapk — Android/CallPhantom
SHA-1 Hash F0A8EBD7C4179636BE752ECCFC6BD9E4CD5C7F2C com.call.detail.caller.history.xapk — Android/CallPhantom
SHA-1 Hash D021E7A0CF45EECC7EE8F57149138725DC77DC9A com.call.of.any.number.apk — Android/CallPhantom
SHA-1 Hash 04D2221967FFC4312AFDC9B06A0B923BF3579E93 com.callapp.historyero.apk — Android/CallPhantom
SHA-1 Hash CB31ED027FADBFA3BFFDBC8A84EE1A48A0B7C11D com.calldetails.smshistory.callhistoryofanynumber.apk — Android/CallPhantom
SHA-1 Hash C840A85B5FBAF1ED3E0F18A10A6520B337A94D4C com.callhistory.anynumber.chapfvor.history.xapk — Android/CallPhantom
SHA-1 Hash BB6260CA856C37885BF9E952CA3D7E95398DDABF com.callhistory.calldetails.callerids…callhistorymanager.apk — Android/CallPhantom
SHA-1 Hash 55D46813047E98879901FD2416A23ACF8D8828F5 com.callhistory.callhistoryany.call.apk — Android/CallPhantom
SHA-1 Hash E23D3905443CDBF4F1B9CA84A6FF250B6D89E093 com.callhistory.callhistoryyourgf.apk — Android/CallPhantom
SHA-1 Hash 89ECEC01CCB15FCDD2F64E07D0E876A9E79DD3CE com.callinformative.instantcallhistory…callinfo.xapk — Android/CallPhantom
SHA-1 Hash 8EC557302145B40FE0898105752FFF5E357D7AC9 com.cddhaduk.callerid.block.contact.xapk — Android/CallPhantom
SHA-1 Hash 6F72FF58A67EF7AAA79CE2342012326C7B46429D com.easyranktools.callhistoryforanynumber.apk — Android/CallPhantom
SHA-1 Hash 28D3F36BD43D48F02C5058EDD1509E4488112154 com.getanynumberofcallhistory…findcalldetailsofanynumber.xapk — Android/CallPhantom
SHA-1 Hash 47CEE9DED41B953A84FC9F6ED556EC3AF5BD9345 com.chdev.callhistory.xapk — Android/CallPhantom
SHA-1 Hash 9199A376B433F888AFE962C9BBD991622E8D39F9 com.name.factor.apk — Android/CallPhantom
SHA-1 Hash 053A6A723FA2BFDA8A1B113E8A98DD04C6EEF72A com.pdf.maker.pdfreader.pdfscanner.apk — Android/CallPhantom
SHA-1 Hash 4B537A7152179BBA19D63C9EF287F1AC366AB5CB com.phone.call.history.tracker.apk — Android/CallPhantom
SHA-1 Hash 87F6B2DB155192692BAD1F26F6AEBB04DBF23AAD com.pixelxinnovation.manager.apk — Android/CallPhantom
SHA-1 Hash 583D0E7113795C7D68686D37CE7A41535CF56960 com.rajni.callhistory.apk — Android/CallPhantom
SHA-1 Hash 45D04E06D8B329A01E680539D798DD3AE68904DA com.sbpinfotech.findlocationofanynumber.xapk — Android/CallPhantom
SHA-1 Hash 34393950A950F5651F3F7811B815B5A21F84A84B sc.call.ofany.mobiledetail.apk — Android/CallPhantom
IP Address 34.120.160[.]131 Firebase-hosted C2 IP, Google LLC, first seen 2025
IP Address 34.120.206[.]254 Firebase-hosted C2 IP, Google LLC, first seen 2025
Domain call-history-7cda4-default-rtdb.firebaseio[.]com Firebase real-time database used for C2 communication
Domain call-history-ecc1e-default-rtdb.firebaseio[.]com Firebase real-time database used for C2 communication
Domain ch-ap-4-default-rtdb.firebaseio[.]com Firebase real-time database used for payment URL delivery
Domain chh1-ac0a3-default-rtdb.firebaseio[.]com Firebase real-time database used for payment URL delivery

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

ExploitSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Malicious NuGet Packages Steal Browser Credentials, SSH Keys, Crypto Wallets

Next Post

Critical GoDaddy ManageWP Flaw Lets Attackers Steal Credentials

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Windows RDP Bugs Expose Sensitive Data, Patch Now
July 15, 2026
LabubaRAT Malware Impersonates NVIDIA to Hijack Windows Systems
July 15, 2026
Chrome 150 Update Patches 15 Flaws, Two Critical Code Execution Vulnerabilities
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us