Back

CallPhantom Apps Scam Millions of Android Users with Fake Call History

Severity: Medium (Score: 51.8)

Sources: Cybersecuritynews, Welivesecurity, www.eset.com

Summary

A cluster of 28 fraudulent apps named CallPhantom tricked over 7.3 million Android users into paying for fake call history data. These apps, available on Google Play, claimed to provide access to call logs and SMS records but delivered only randomly generated data. The apps were primarily targeted at users in India and the Asia-Pacific region, leveraging the UPI payment system. Users reported being scammed and receiving no promised data after payment. ESET, as part of the App Defense Alliance, reported these apps to Google, leading to their removal from the Play Store on December 16, 2025. The investigation revealed that the apps were designed to exploit user curiosity and included fake reviews to entice downloads. As of the publication date, all identified fraudulent apps have been taken down. Key Points: • 28 fraudulent apps named CallPhantom were removed from Google Play after scamming users. • Over 7.3 million downloads were recorded for these apps, which provided fake call history data. • The apps primarily targeted Android users in India, using the UPI payment system.

Key Entities

  • Apt28 (apt_group)
  • Apt29 (apt_group)
  • Blue Callisto (apt_group)
  • BlueCharlie (apt_group)
  • Callisto (apt_group)
  • Snake (malware)
  • CallPhantom (malware)
  • Cobalt Strike (malware)
  • Industroyer (malware)
  • Lonepage (malware)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Ransomware (attack_type)
  • Operation Texonto (campaign)
  • SolarWinds campaign (campaign)
  • Cert-ua (company)
  • Democratic National Committee (company)
  • RUAG (company)
  • Security Service Of Ukraine (company)
  • TV5Monde (company)
  • Armenia (country)
  • Belarus (country)
  • Georgia (country)
  • Greece (country)
  • India (country)
  • Cwe-79 - Cross-site Scripting (xss) (cwe)
  • com.app (domain)
  • com.name (domain)
  • gov.in (domain)
  • Financial (industry)
  • Government (industry)
  • T1059.001 - PowerShell (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • Android (platform)
  • Firebase (platform)
  • Google Play (platform)
  • Windows (platform)
  • Firebase Cloud Messaging (platform)
  • PowerShell (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed