Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads  Ravie Lakshmanan  May 08, 2026 Android / Mobile Security Cybersecurity researchers have discovered fraudulent apps on the official Google Play Store for Android that falsely claimed to offer access to call histories for any phone number, only to trick users into joining a subscription that provided fake data and incurred financial loss. The 28 apps have collectively racked up more than 7.3 million downloads, with one of them alone accounting for over 3 million downloads, before they were taken down from the official app storefront.The activity, codenamed CallPhantom by Slovakian cybersecurity company ESET, primarily targeted Android users in India and the broader Asia-Pacific region. "The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number," ESET security researcher Lukáš Štefanko said in a report shared with The Hacker News. "To unlock this supposed feature, users are asked to pay -- but all they get in return is randomly generated data." The list of identified apps is below - Call history : any number deta (calldetaila.ndcallhisto.rytogetan.ynumber) Call History of Any Number (com.pixelxinnovation.manager) Call Details of Any Number (com.app.call.detail.history) Call History Any Number Detail (sc.call.ofany.mobiledetail) Call History Any Number Detail (com.cddhaduk.callerid.block.contact) Call History Of Any Number (com.basehistory.historydownloading) Call History of Any Numbers (com.call.of.any.number) Call History Of Any Number (com.rajni.callhistory) Call History Any Number Detail (com.callhistory.calldetails.callerids.callerhistory.callhostoryanynumber.getcall.history.callhistorymanager) Call History Any Number Detail (com.callinformative.instantcallhistory.callhistorybluethem.callinfo) Call History Any Number detail (com.call.detail.caller.history) Call History Any Number Detail (com.anycallinformation.datadetailswho.callinfo.numberfinder) Call History Any Number Detail (com.callhistory.callhistoryyourgf) Call History Any Number (com.calldetails.smshistory.callhistoryofanynumber) Call History Any Number Detail (com.callhistory.anynumber.chapfvor.history) Call History of Any Number (com.callhistory.callhistoryany.call) Call History Any Number Detail (com.name.factor) Call History Of Any Number (com.getanynumberofcallhistory.callhistoryofanynumber.findcalldetailsofanynumber) Call History Of Any Number (com.chdev.callhistory) Phone Call History Tracker (com.phone.call.history.tracke) Call History- Any Number Deta (com.pdf.maker.pdfreader.pdfscanner) Call History Of Any Number (com.any.numbers.calls.history) Call History Any Number Detail (com.callapp.historyero) Call History - Any Number Data (all.callhistory.detail) Call History For Any Number (com.easyranktools.callhistoryforanynumber) Call History of Numbers (com.sbpinfotech.findlocationofanynumber) Call History of Any Number (callhistoryeditor.callhistory.numberdetails.calleridlocator) Call History Pro (com.all_historydownload.anynumber.callhistorybackup) At least one of the flagged apps was published under the developer name "Indian gov.in" in an attempt to build a false sense of trust and unsuspecting trick users into downloading it. However, this trick masks a nefarious motive where victims are asked to make a payment in order to view details of a phone number's call and SMS history. Once the payment is made, users are served entirely fabricated phone numbers and names directly embedded into the source code. Evidence indicates that the activity may have been active since at least November 2025 . A second cluster of these apps has been found to prompt users to enter their email address to which the purported details of any phone number would be delivered to. As in the prior case, no data is generated until a payment is made. The payments either rely on subscriptions via Google Play Store's official billing system or via third-party apps that support Unified Payments Interface (UPI), an instant payment system widely used in India. Ironically, this list includes Google Pay, Walmart-backed PhonePe, and Paytm. A third method includes payment card checkout forms directly inside the apps. The last two approaches are in violation of Google's policy. In at least one case, the apps implemented an additional trick to convince the user to make a payment. Should they exit the app without making any payment, it displays a deceptive notification claiming that a call history for a certain phone number had been successfully sent to their email address. Clicking on the notification directly takes the user to a subscription screen. The subscription plans vary across the app, ranging anywhere from about $6 to $80. Users who may have fallen prey to the scam should have had their subscriptions canceled after the apps were removed from the Google Play Store. What makes this activity notable is that the apps have a simple user interface and do not request any sensitive permissions. And to top it all, they do not even contain any functionality to retrieve call, SMS, or WhatsApp data. "Users who subscribed via official Google Play billing may be eligible for refunds under Google's refund policies," ESET said. "Purchases made via third‑party payment apps or through direct payment card entry cannot be refunded by Google, leaving users dependent on external payment providers or developers." The disclosure comes as Group-IB said bad actors have stolen an estimated $2 million from Indonesian users as part of a fraud campaign that involved posing as the country's tax platform, CoreTax, and other trusted brands. The campaign, which began in July 2025, has been linked to a financially motivated threat cluster called GoldFactory . "The attack chain integrates phishing websites, social engineering (WhatsApp), malicious APK sideloading, and voice phishing (vishing) to achieve full device compromise and unauthorized transfer execution," Group-IB said . At a high level, these attacks involve using social engineering to distribute the fake apps via WhatsApp, which, when installed, deploy Android malware such as Gigabud RAT , MMRat , and Taotie that are capable of harvesting sensitive data and downloading additional components. The stolen information is then used to conduct account takeover attacks and financial theft. "The malware infrastructure supporting this fraud campaign is not limited to a single impersonated service. The same infrastructure has been observed actively abusing more than 16 trusted brands, collectively targeting Indonesia’s broader population of approximately 287 million," Group-IB said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  Android , cybersecurity , ESET , Google Play Store , Group-IB , mobile security , social engineering ⚡ Top Stories This Week Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately ⭐ Featured Resources [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] How to Enable Secure Data Movement Without Added Risk Learn How Hidden Identity Blind Spots Weaken Your Security Systems [Guide] Learn a Practical Framework to Evaluate AI Tools for Production