CallPhantom scam hit 7.3 million downloads

Android scam apps usually promise something shady or magical. This batch promised both — call logs, SMS records, even WhatsApp history for any phone number. That is not a thing normal apps can do, but 28 Google Play apps still pulled in more than 7.3 million downloads before ESET got them removed on May 7, 2026. The ugly part is that the apps did not need to hack phones to hurt people. They just needed users to pay. ### What were these apps selling? They sold the fantasy of surveillance. The apps claimed they could show another person’s call history, text records, or WhatsApp call logs if you typed in a phone number. Some used names like “Call History Manager” or “Any Number Call Details,” which made them look like boring utility tools instead of scams. But Android does not let a random app pull private records from someone else’s device or carrier account, so the pitch was impossible from the start. ### So what happened after people installed them? Users got pushed into a payment flow. Sometimes that meant a subscription through Google Play Billing. Sometimes it meant a direct UPI payment, which is common in India and makes refunds messier when the transaction happens outside Google’s normal rails. After payment, the apps returned fake results — basically fabricated call logs dressed up as real data. In other cases, they kept nagging users to pay again for “full” access. (eset.com) ### Why did so many people fall for it? Because the scam sat inside Google Play, where people expect at least a baseline level of trust. The apps also tapped into a very old impulse — wanting to peek into someone else’s communications. That sounds obviously dubious when said out loud, but scam economics love exactly this kind of curiosity gap. If the promise is emotionally charged enough, a lot of people stop asking whether the feature is technically possible. (thehackernews.com) ### Who did this target? Mostly Android users in India and the broader Asia-Pacific region. ESET says many of the apps had India’s +91 country code preselected, and several supported UPI payments, which points pretty clearly at the intended audience. One especially telling stat: 53.7% of all CallPhantom detections were in India. (androidauthority.com) ### Why is this different from a normal malware story? Because the damage came from fraud more than device compromise. These apps did not need to steal contacts, root phones, or drop spyware. They monetized belief. That matters because app-store defenses are often better at catching obviously malicious code than apps whose main crime is lying, charging money, and delivering nonsense. Basically, the payload was the fake service itself. (eset.com) ### How big was the campaign? Big enough to be embarrassing for Google Play. ESET counted 28 apps and more than 7.3 million cumulative downloads. One app alone crossed 3 million installs before removal. ESET says it reported the cluster to Google on December 16, 2025, and the apps are now gone from the store. ### What should Android users take from this? (eset.com) If an app promises access to another person’s private call or message history, assume scam first. Then check the boring stuff — permissions, payment method, reviews, publisher history, and whether the feature even makes technical sense. A clean-looking Play Store listing is not proof that the product is real. In this case, that gap between “listed” and “legit” cost a lot of people real money. (thehackernews.com) ### Bottom line CallPhantom worked because it did not need sophisticated malware. It needed an impossible promise, a polished app page, and a payment button. That is a useful reminder — on mobile, the most effective scam is often the one that looks like a service, not a virus. (eset.com)