28 pretend “name historical past” utilities on Google Play, collectively put in greater than 7.3 million occasions, have been uncovered as subscription scams that generate fabricated logs as an alternative of actual cellphone information, with a number of additionally bypassing Google’s official billing system to make refunds tougher for victims.
The CallPhantom apps promote an not possible service: detailed name histories, SMS information, and even WhatsApp name logs “for any cellphone quantity” provided by the person.
One of many first samples flagged, “Name Historical past of Any Quantity,” was even printed underneath the deceptive developer identify “Indian gov.in,” regardless of having no connection to any authorities entity.
As soon as put in, the apps immediate customers to enter a goal cellphone quantity after which lock the supposed outcomes behind a paywall, usually framed as a weekly, month-to-month, or annual subscription.
Safety researchers at ESET, who tracked the scheme underneath the identify CallPhantom, reported all 28 apps to Google; the corporate has since eliminated them from the Play Retailer.
In actuality, the apps don’t have any technical functionality to entry telecom information or WhatsApp logs, they usually by no means request the delicate permissions wanted to learn the gadget’s name historical past or SMS knowledge.
Pretend Name Historical past Apps on Google Play
ESET’s evaluation exhibits that the “outcomes” screens are pushed fully by hardcoded templates and random turbines quite than any again‑finish lookup.
In a single cluster of apps, the code bundles mounted lists of names, nation codes, timestamps, and name durations, that are mixed with randomly generated numbers after which displayed as partial “pattern” information earlier than the person is requested to pay to unlock the complete pretend historical past.
A second cluster collects an e-mail deal with and guarantees to ship the complete report there as soon as a subscription is bought, however the era of the fabricated logs solely happens after cost.
In each instances, there isn’t any community request to any telecom operator or messaging service and no logic that would interface with respectable name‑element information.
To push hesitant customers over the road, one variant even abuses pretend system‑type notifications: if the person closes the app with out paying, it shows alerts styled as new e-mail messages claiming that the name historical past report has arrived, and tapping the notification takes the sufferer straight again to a subscription display.
The marketing campaign primarily targets customers in India and the broader Asia‑Pacific area, with many apps preselecting India’s +91 nation code and integrating UPI‑primarily based cost flows which can be common within the nation.
Retailer listings blended clearly pretend guarantees with polished advertising and marketing and a mix of fraudulent constructive critiques and indignant one‑star rankings from victims who paid and obtained nothing however random knowledge.
ESET noticed three cost paths throughout the 28 apps. Some used Google Play’s in‑app billing as required by coverage, which no less than brings normal subscription administration and potential refund protections by way of Google.
Others pushed customers to pay by way of third‑celebration UPI apps, utilizing hardcoded or remotely configurable URLs hosted in a Firebase Realtime Database in order that the operators may rotate receiving accounts at will.
A 3rd set of embedded card‑cost types straight within the app, with each the UPI redirection and direct card assortment working afoul of Google Play’s cost guidelines and leaving victims depending on exterior suppliers for any redress.
Google has eliminated all 28 recognized CallPhantom apps from Google Play after receiving ESET’s report, and current Play‑billing subscriptions related to them have been cancelled.
Customers who paid by way of Google Play should be capable of request refunds, topic to Google’s normal time home windows and refund standards, by way of the subscription administration and refund request choices documented in its help pages.
Those that entered card particulars in‑app or paid by way of third‑celebration UPI apps face a tougher path: Google can’t cancel or refund these off‑platform transactions, so victims should as an alternative contact their financial institution, card issuer, UPI supplier, or – the place attainable – the listed developer.
ESET recommends that customers keep away from any app claiming to disclose name logs, SMS information, or messaging histories for arbitrary numbers, as such entry isn’t accessible by way of respectable shopper apps and needs to be handled as a crimson‑flag signal of a rip-off.
Comply with us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most popular Supply in Google.
