CallPhantom apps hit 7.3M installs

Android scam apps usually promise something flashy. These promised something impossible — call logs, SMS history, even WhatsApp call records for any phone number you typed in. That pitch pulled in millions of installs on Google Play before the apps were reported and removed. The big story is not just the fraud. It’s how ordinary and “useful” these apps looked while they turned curiosity, jealousy, and panic into payments. ### What were these apps actually selling? They sold the fantasy of private surveillance on demand. ESET grouped 28 Android apps under the name CallPhantom because they all made basically the same false promise — enter any number, get that person’s call history or messages. Some also claimed they could reveal WhatsApp call logs. That is not a real capability for a normal Play Store app, which is the first clue that the whole thing was a scam. (eset.com) ### How big did this get? Bigger than most people would guess from a scam this crude. ESET said the 28 apps were downloaded more than 7.3 million times in total, and one app by itself crossed 3 million installs before takedown. The campaign mainly hit users in India and the broader Asia-Pacific region, which also helps explain why some payment flows were built around local methods like UPI. (eset.com) ### How did the trick work? The apps dangled a search box and made the process feel real. A user entered a target phone number, waited through fake loading screens, and then got pushed toward payment to “unlock” the results. But the data was fabricated or useless. So the product was fake from end to end — fake access, fake suspense, fake output, real charge. (eset.com) ### Why did people pay for something so implausible? Because this was social engineering wearing a utility-app costume. The hook targets strong emotions — suspicion about a partner, worry about a child, curiosity about a stranger, maybe even workplace snooping. Once a user is emotionally invested, the app only has to look plausible for a few more screens. It’s the same old scam shape, but packaged like a normal Android tool instead of a sketchy website. (eset.com) That matters because users lower their guard inside an official app store. ### Why are refunds such a mess here? The catch is that not every app used Google Play billing cleanly. ESET and follow-up coverage said some apps routed victims to third-party payment options, including UPI-linked flows. That means users could end up outside the usual Play refund path. In plain English — the scam did not just trick people into paying, it sometimes nudged them onto rails where getting money back was harder. (eset.com) ### Was this malware or “just” fraud? Mostly fraud, but that distinction is less comforting than it sounds. These apps did not need a sophisticated malware payload to do damage. If a scam can reach millions through fake claims, deceptive UX, and payment abuse alone, then defenders cannot limit reviews to apps that look technically malicious. A polished lie at Play Store scale is already a security problem. Broader Play abuse has been large lately, with other researchers also flagging tens of millions of installs across malicious or deceptive Android apps. (eset.com) ### What should defenders take from this? High-download “caller,” “tracker,” and “history” utilities deserve more skepticism than their install counts suggest. Enterprise mobile teams should flag apps that claim surveillance-style powers, audit payment behavior, and watch for sideload-like billing detours inside otherwise legitimate-looking apps. Consumers should treat any app claiming access to another person’s private call or message history as fraudulent on its face. (eset.com) If that capability sounds illegal or impossible, turns out that’s the product review. ### Bottom line? CallPhantom matters because it shows the modern mobile scam does not need to hide. It can sit in the official store, wear a helpful icon, rack up millions of installs, and make money by selling an impossible shortcut people badly want to believe in. (eset.com)