App creators will offer basically anything these days, even if most claims appear too good to be true. Unfortunately, an army of Android users took the bait, paying for apps that sold access to call histories for any phone number. Over 7 million downloads later, it’s now official – it was all fake.

Researchers from Slovak cybersecurity company ESET say that the offending apps – collectively known as CallPhantom – claimed to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number.

To unlock this supposed feature, users were asked to pay up. But all they got in return was random data.

According to ESET, 28 apps, primarily targeting Android users in India and the broader Asia-Pacific region, have collectively racked up more than 7.3 million downloads.

ESET then reported its findings to Google, and the tech giant soon removed all of the apps – one of which was downloaded more than 3 million times – identified in the company’s report. Still, there must be more of them.

It all began in November, when ESET came across a Reddit post about an app called Call History of Any Number.

The app claimed it could retrieve the call history for any phone number the user supplied. The app was published under the developer name Indian gov.in, but had no real association with the Indian government.

Unsurprisingly, ESET analysis showed that the “call history” data provided by the app was entirely fabricated. The app generated random phone numbers and matched them with fixed names, call times, and call durations, embedded directly in the code.

This fake data was then presented to victims – but only after payment, researchers said.

Unsurprisingly, CallPhantom apps have a simple user interface and do not request any intrusive or sensitive permissions – they don’t need to. They don’t even contain any functionality capable of retrieving real call, SMS, or WhatsApp data.

Dozens of apps defrauded users similarly, and they soon garnered numerous negative reviews, with victims reporting they were scammed and never received the promised data.

“By seemingly offering insight into private information, the scammers successfully took advantage of people’s curiosity. Combined with a few glowing (fake) reviews, it might have seemed like an intriguing offer,” ESET said.

Some CallPhantom apps were sidestepping Google Play’s official billing system, complicating victims’ refund efforts.

Three different payment methods were used, and some of the apps relied on payments via third-party apps that support UPI, a payment system used primarily in India.

The apps offered different subscription packages, such as weekly, monthly, or yearly plans, with the highest requested price at $80. For the lowest “subscription tier,” the average requested price was €5 ($5.9).

---

Unlock more exclusive Cybernews content on YouTube.