Back

CallPhantom Fraudulent Apps Scam Millions of Android Users

Severity: Medium (Score: 52.5)

Sources: Heise.De, www.welivesecurity.com, Cybersecuritynews, Welivesecurity, www.eset.com

Summary

A series of fraudulent apps named CallPhantom were discovered on Google Play, promising access to call histories for any phone number. Users were tricked into paying for subscriptions, only to receive fabricated data. ESET identified 28 such apps, which collectively garnered over 7.3 million downloads, primarily targeting users in India and the Asia-Pacific region. The apps generated random call data and displayed it to users after payment. ESET reported these apps to Google, leading to their removal from the Play Store in December 2025. User reviews indicated widespread dissatisfaction, with many victims claiming they were scammed. The apps exploited users' curiosity about private communication data. No malware was found in these apps, indicating a purely fraudulent scheme. Key Points: • 28 fraudulent apps named CallPhantom were identified on Google Play. • The apps collectively had over 7.3 million downloads, primarily targeting users in India. • Users paid for fake call history data, which was entirely fabricated.

Key Entities

  • Apt28 (apt_group)
  • Apt29 (apt_group)
  • Blue Callisto (apt_group)
  • BlueCharlie (apt_group)
  • Callisto (apt_group)
  • Snake (malware)
  • CallPhantom (malware)
  • Anatsa (malware)
  • Cobalt Strike (malware)
  • Industroyer (malware)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Ransomware (attack_type)
  • Operation Texonto (campaign)
  • SolarWinds campaign (campaign)
  • Cert-ua (company)
  • Democratic National Committee (company)
  • RUAG (company)
  • Security Service Of Ukraine (company)
  • TV5Monde (company)
  • Armenia (country)
  • Belarus (country)
  • Georgia (country)
  • Greece (country)
  • India (country)
  • Cwe-79 - Cross-site Scripting (xss) (cwe)
  • com.app (domain)
  • com.name (domain)
  • gov.in (domain)
  • Financial (industry)
  • Government (industry)
  • T1059.001 - PowerShell (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • Android (platform)
  • Firebase (platform)
  • Google Play (platform)
  • Windows (platform)
  • Firebase Cloud Messaging (platform)
  • PowerShell (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed