Fake call logs, real payments: How CallPhantom tricks Android users ESET Research ESET researchers uncovered fraudulent apps on Google Play that claim to provide the call history “for any number” and had been downloaded more than seven million times before being taken down Lukas Stefanko 07 May 2026 11 min. read There’s an app for everything nowadays… right? Well, looking up call records for a phone number of choice is one of those things, as potentially millions of Android users found out after paying for app subscriptions promising just that.
The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for phone number. To unlock this supposed feature, users are asked to pay – but all they get in return is randomly generated data. Our investigation identified 28 such fraudulent apps available on the Google Play store, cumulatively downloaded more than 7.3 million times.
As an App Defense Alliance partner, we reported our findings to Google, which removed all of the apps identified in this report from Google Play. Key points of this blogpost: A new Android scam, CallPhantom, falsely claims to provide access to call logs, SMS records, and WhatsApp call history for any phone number in exchange for payment. We identified and reported 28 CallPhantom apps on Google Play, cumulatively downloaded more than 7.3 million times.
Some CallPhantom apps sidestep Google Play’s official billing system, complicating victims’ refund efforts. Investigation In November 2025, we came across a Reddit post discussing an app named Call History of Any Number, found on Google Play. The app, shown in Figure 1, claims that it can retrieve the call history of any phone number supplied by the user. It was published under the developer name Indian gov.in , but the app has no real association with the Indian government.
Figure 1. Call History of Any Number app on Google Play Unsurprisingly, our analysis showed that the “call history” data provided by this app is entirely fabricated – the app generates random phone numbers and matches them with fixed names, call times, and call durations, which were embedded directly in the code, as shown in Figure 2. This fake data is then presented to victims – but only after payment.
Figure 2. Hardcoded call log data used by the app A screenshot of the fabricated call history data was even included in the app’s listing, presented as a demonstration of the app’s functionality, as shown in Figure 3. Figure 3. Screenshots from Google Play seemingly demonstrating the fraudulent app’s functionality; the logs are randomly generated from hardcoded data Further research revealed additional, related apps available on the Play Store – 28 CallPhantom apps altogether.
We reported the full set of fraudulent apps to Google on December 16 th , 2025. At the time of publication, all the reported apps have been removed from the store. Despite visual differences, which can be seen in Figure 4 and Figure 5, the purpose of the apps is identical: generate fake communication data and charge victims for access. The table in the Analyzed CallPhantom apps section lists each app along with its key details, including the download count.
Figure 4. Examples of CallPhantom apps found on the Play Store Figure 5. Examples of CallPhantom initial screens Campaign overview The CallPhantom apps we found on Google Play mainly targeted Android users in India and the broader Asia‑Pacific region. Many of the apps came with India’s +91 country code preselected and support UPI , a payment system used primarily in India. The apps had garnered numerous negative reviews, with victims reporting that they were scammed and never received the promised data, as can be seen in Figure 6.
Figure 6. Negative reviews for one of the fraudulent apps It is not clear how the apps were distributed or promoted. Presumably, by seemingly offering insight into private information, the scammers successfully took advantage of people’s curiosity. Combined with a few glowing (fake) reviews, it might have seemed like an intriguing offer. CallPhantom overview In our investigation, we identified two main clusters of these fraudulent apps.
The apps in the first cluster contain hardcoded names, country codes, and templates in their code, as shown in Figure 7. These are combined with randomly generated phone numbers and shown to the user as partial “results”. To view the full (fake) history, the victim has to pay. Figure 7. Code responsible for generating messages second cluster ask users to enter an email address where the “retrieved” call history would supposedly be delivered, as seen in the screenshots in Figure 8.
No data generation occurs until after payment; users have to pay or subscribe before any email would supposedly be sent. Figure 8. CallPhantom requests the user’s email address where call logs would supposedly be delivered In general, CallPhantom apps have a simple user interface and do not request any intrusive or sensitive permissions – they don’t need to. Coincidentally, they do not contain any functionality capable of retrieving real call, SMS, or WhatsApp data.
In the CallPhantom apps we analyzed, we saw three different payment methods used, the latter two of which are in violation of Google Play’s payments policy . First, some of the apps relied on subscriptions via Google Play’s official billing system. This is required of apps offering in-app purchases, per Google Play’s payments policy; such purchases are covered by Google’s refund protection . Second, some of the apps relied on payments via third-party apps that support UPI.
For these third-party payment apps, CallPhantom apps either included hardcoded URLs or fetched the URLs dynamically from a Firebase realtime database, meaning the payment account could be changed at any time by the operator. Third, in some cases, payment card checkout forms were included directly in the CallPhantom apps. Examples of the payment methods can be seen in Figure 9. Figure 9. Various payment options used by CallPhantom apps In one case, we observed an additional tactic used to coax the user into paying: if the user exited the app without payment, the app displayed deceptive alerts styled as new emails claiming that the call history results had arrived – see Figure 10.
Clicking the notification led straight to a subscription screen. Figure 10. Deceptive notification displayed by CallPhantom to persuade users to subscribe The fees requested for the fake service differ widely across the apps. The apps also appear to offer different subscription packages, such as weekly, monthly, or yearly services, with the highest requested price sitting at US$80. For the lowest “subscription tier”, the average requested price was €5.
What to do if you have been scammed In general, subscriptions purchased through the official Google Play billing system can be canceled in the Play Store app by tapping your profile icon, navigating to Payments & subscriptions → Subscriptions, selecting the active subscription, and tapping Cancel subscription. Google explains the full process on its Cancel, pause, or change a subscription on Google Play page.
For the 28 apps described in this blogpost, existing subscriptions have been canceled when the apps were removed from Google Play. In some cases, refunds for Google Play purchases are possible. Google may issue a refund depending on the time since purchase, the type of item, and its refund policy. In general, requests must be made within the allowed refund window as described on Google’s support page .
If the purchase was made outside Google Play – for example, by entering payment card details inside the app or by paying through third‑party services – then Google cannot cancel the subscription or issue a refund, and users have to contact the payment provider or the app developer directly. Conclusion We identified a new cluster of fraudulent Android apps on Google Play that collectively amassed over 7.3 million downloads before being taken down upon notification by ESET.
These apps, which we collectively named CallPhantom, falsely promise to retrieve call logs, SMS records, and WhatsApp call history for any phone number, a technically impossible claim designed solely to exploit people’s curiosity and mislead them into paying. Many of the apps circumvented Google Play’s official billing system, pushing users toward third‑party payments or direct card entry, complicating refund efforts and exposing victims to financial risk.
Our analysis revealed that the “results” shown to victims are entirely fabricated, often using hardcoded Indian numbers, predefined names, and generated timestamps disguised as real communication data. Users who subscribed via official Google Play billing may be eligible for refunds under Google’s refund policies. Purchases made via third‑party payment apps or through direct payment card entry cannot be refunded by Google, leaving users dependent on external payment providers or developers.
For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com . ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence App name Package name Number of downloads Call history : any number deta calldetaila.ndcallhisto.rytogetan.ynumber Call History of Any Number com.pixelxinnovation.manager Call Details of Any Number com.app.call.detail.history Call History Any Number Detail sc.call.ofany.mobiledetail 500K+ com.cddhaduk.callerid.block.contact com.basehistory.historydownloading Call History of Any Numbers com.call.of.any.number 100K+ com.rajni.callhistory com.callhistory.calldetails.callerids.calle rhistory.callhostoryanynumber.getcall.histo ry.callhistorymanager com.callinformative.instantcall history.callhistorybluethem.callinfo com.call.detail.caller.history com.anycallinformation.datadetailswho.calli nfo.numberfinder com.callhistory.callhistoryyourgf Call History Any Number com.calldetails.smshistory.callhistoryofany number 50K+ com.callhistory.anynumber.chapfvor.history com.callhistory.callhistoryany.call com.name.factor com.getanynumberofcallhistory.callhistoryof anynumber.findcalldetailsofanynumber com.chdev.callhistory 10K+ Phone Call History Tracker com.phone.call.history.tracker Call History- Any Number Deta com.pdf.maker.pdfreader.pdfscanner com.any.numbers.calls.history com.callapp.historyero Call History - Any Number Data all.callhistory.detail 500+ Call History For Any Number com.easyranktools.callhistoryforanynumber 100+ Call History of Numbers com.sbpinfotech.findlocationofanynumber callhistoryeditor.callhistory.numberdetails .calleridlocator Call History Pro com.all_historydownload.anynumber.callhisto rybackup IoCs A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository .
Files SHA-1 Filename Detection Description 799BB5127CA54239D3D4 A14367DB3B712012CF14 all.callhistory.deta il.apk Android/CallPhantom.K Android CallPhantom. 56A4FD71D1E4BBA2C5C2 40BE0D794DCFF709D9EB calldetaila.ndcallhi sto.rytogetan.ynumbe r.apk Android/CallPhantom.M EC5E470753E76614CD28 ECF6A3591F08770B7215 callhistoryeditor.ca llhistory.numberdeta ils.calleridlocator. apk Android/CallPhantom.F 77C8B7BEC79E7D9AE0D0 C02DEC4E9AC510429AD8 com.all_historydownl oad.anynumber.callhi storybackup.apk Android/CallPhantom.G 9484EFD4C19969F57AFB 0C21E6E1A4249C209305 com.any.numbers.call s.history.apk Android/CallPhantom.L CE97CA7FEECDCAFC6B8E 9BD83A370DFA5C336C0A com.anycallinformati on.datadetailswho.ca llinfo.numberfinder. xapk Android/CallPhantom.B FC3BA2EDAC0BB9801F85 35E36F0BCC49ADA5FA5A com.app.call.detail. history.apk Android/CallPhantom.N B7B80FA34A41E3259E37 7C0D843643FF736803B8 com.basehistory.hist orydownloading.xapk Android/CallPhantom.O F0A8EBD7C4179636BE75 2ECCFC6BD9E4CD5C7F2C com.call.detail.call er.history.xapk Android/CallPhantom.C D021E7A0CF45EECC7EE8 F57149138725DC77DC9A com.call.of.any.numb er.apk Android/CallPhantom.Q 04D2221967FFC4312AFD C9B06A0B923BF3579E93 com.callapp.historye ro.apk Android/CallPhantom.E CB31ED027FADBFA3BFFD BC8A84EE1A48A0B7C11D com.calldetails.smsh istory.callhistoryof anynumber.apk C840A85B5FBAF1ED3E0F 18A10A6520B337A94D4C com.callhistory.anyn umber.chapfvor.histo ry.xapk Android/CallPhantom.J BB6260CA856C37885BF9 E952CA3D7E95398DDABF com.callhistory.call details.callerids.ca llerhistory.callhost oryanynumber.getcall .history.callhistory manager.apk Android/CallPhantom.S 55D46813047E98879901 FD2416A23ACF8D8828F5 com.callhistory.call historyany.call.apk Android/CallPhantom.T E23D3905443CDBF4F1B9 CA84A6FF250B6D89E093 com.callhistory.call historyyourgf.apk Android/CallPhantom.D 89ECEC01CCB15FCDD2F6 4E07D0E876A9E79DD3CE com.callinformative. instantcallhistory.c allhistorybluethem.c allinfo.xapk 8EC557302145B40FE089 8105752FFF5E357D7AC9 com.cddhaduk.calleri d.block.contact.xapk Android/CallPhantom.U 6F72FF58A67EF7AAA79C E2342012326C7B46429D com.easyranktools.ca llhistoryforanynumbe r.apk Android/CallPhantom.H 28D3F36BD43D48F02C50 58EDD1509E4488112154 com.getanynumberofca llhistory.callhistor yofanynumber.findcal ldetailsofanynumber. xapk 47CEE9DED41B953A84FC 9F6ED556EC3AF5BD9345 com.chdev.callhistor y.xapk Android/CallPhantom.V 9199A376B433F888AFE9 62C9BBD991622E8D39F9 com.name.factor.apk Android/CallPhantom.P 053A6A723FA2BFDA8A1B 113E8A98DD04C6EEF72A com.pdf.maker.pdfrea der.pdfscanner.apk Android/CallPhantom.W 4B537A7152179BBA19D6 3C9EF287F1AC366AB5CB com.phone.call.histo ry.tracker.apk Android/CallPhantom.I 87F6B2DB155192692BAD 1F26F6AEBB04DBF23AAD com.pixelxinnovation .manager.apk Android/CallPhantom.X 583D0E7113795C7D6868 6D37CE7A41535CF56960 com.rajni.callhistor y.apk Android/CallPhantom.Y 45D04E06D8B329A01E68 0539D798DD3AE68904DA com.sbpinfotech.find locationofanynumber. xapk Android/CallPhantom.A 34393950A950F5651F3F 7811B815B5A21F84A84B sc.call.ofany.mobile detail.apk Android/CallPhantom.Z Network Domain Hosting provider First seen Details 34.120.160[.]131 call-history-7cda4-defau lt-rtdb.firebaseio[.]com call-history-ecc1e-defau lt-rtdb.firebaseio[.]com Google LLC 2025‑05‑14 CallPhantom C&C server. 34.120.206[.]254 ch-ap-4-default-rtdb.fir ebaseio[.]com chh1-ac0a3-default-rtdb. firebaseio[.]com 2025‑04‑17 MITRE ATT&CK techniques This table was built using version 18 of the MITRE ATT&CK framework.
Tactic Name Command and Control T1437.001 Application Layer Protocol: Web Protocols CallPhantom uses Firebase Cloud Messaging for C&C communication. Impact T1643 Generate Traffic from Victim CallPhantom tries to achieve fraudulent billing. Let us keep you up to date Ukraine Crisis newsletter Regular weekly newsletter Subscribe ESET Research FrostyNeighbor: Fresh mischief and digital shenanigans ESET Research FrostyNeighbor: Fresh mischief and digital shenanigans ESET Research A rigged game: ScarCruft compromises gaming platform in a supply-chain attack ESET Research A rigged game: ScarCruft compromises gaming platform in a supply-chain attack ESET Research GopherWhisper: A burrow full of malware ESET Research GopherWhisper: A burrow full of malware Similar Articles ESET research New NGate variant hides in a trojanized NFC payment app ESET research The tap-estry of threats targeting Hamster Kombat players ESET research Beware of predatory fin(tech): Loan sharks use Android apps to reach new depths Share Article Discussion