28 fake call-history apps cleared 7.3 million Google Play downloads selling fabricated data

ESET has published research on a year-long subscription scam running on the official Google Play Store under what the firm calls the CallPhantom family. Twenty-eight Android apps, 7.3 million combined downloads — one app alone passed three million — and no working functionality behind any of them. Users paid between $6 and $80 to “look up” call histories, SMS records or WhatsApp call logs for any phone number, and were served fabricated numbers and names that ESET found hardcoded directly into the source. The campaign primarily targeted Android users in India and the wider APAC region and has been live since at least November 2025.

The mechanism is the part worth pulling out. The apps don’t ship malware. They don’t request sensitive Android permissions. They don’t try to steal credentials, harvest contacts or read SMS. They are shells around a payment screen. Users are pushed to subscribe via Google Play’s official billing system, via UPI through third-party payment apps including Google Pay, Walmart-backed PhonePe and Paytm, or via in-app card-checkout forms — the latter two in violation of Google’s policy. One subset of apps doesn’t even pretend: it asks for an email address, takes the payment, and emails fake records back. At least one app was published under the developer name “Indian gov.in” to lean on the trust connotations of a government domain.

There is a deceptive UX trick worth noting too. If a user opens the app, browses around, and then closes it without paying, some variants fire a notification claiming a call history has already been “successfully sent to your email address”. Tapping it deep-links straight to the subscription screen. Classic dark-pattern conversion plumbing, dressed up as a security utility.

Group-IB published companion research the same week on a separate-but-overlapping fraud cluster called GoldFactory, which has stolen roughly $2 million from Indonesian users by impersonating CoreTax — the country’s tax platform — and at least 16 other trusted brands. GoldFactory’s chain is heavier: phishing site, WhatsApp social engineering, APK sideload, Gigabud RAT or MMRat or Taotie on the device, vishing follow-up to authorise transfers. The shape is the same. Pose as a trusted institution, cover the social-engineering ramp with brand familiarity, and either harvest payments directly or set up the device for follow-on theft.

Three things worth pulling out for defenders.

First, “official store, no permissions, no malware” is now a viable mass-fraud business model. The Play Store’s protections are largely tuned to detect malware behaviours — sensitive permission abuse, hidden code execution, exfiltration. CallPhantom doesn’t do any of those things. It is a payment surface in a wrapper, and that wrapper is genuinely on Google Play. A “verified by Google Play” sticker, on its own, is no longer a meaningful trust signal for fraud risk. It is for malware. The two are not the same problem, and the storefronts have been optimising for one of them.

Second, brand-impersonation defence is a regulator problem before it is an EDR problem. “Indian gov.in” appearing as a Play Store developer name should not be possible. The remedy is upstream: stronger developer-identity verification on the storefronts, and faster takedown loops with the brands being impersonated. UK financial-services teams already run anti-impersonation programmes around their consumer banking apps. The mobile attack surface for branded fraud is wider than most of those programmes assume — sleep apps, call-history utilities, government-look-alike utilities, all of them sit alongside the real banking app in the same store search results.

Third, the payments-fraud picture is shifting from sophisticated banking trojans to low-effort subscription scams at scale. CallPhantom and GoldFactory both look modest next to a Maverick or a Grandoreiro. The economics tell a different story. 7.3 million paid downloads at even a small conversion rate dwarfs what most banking trojans extract per victim, with a fraction of the development effort. The relevance for UK financial services is not direct. It is that the consumer-fraud reporting and chargeback channels are about to get a lot busier with subscription disputes, refund claims and customer trust questions about apps the bank had nothing to do with.

The Play Store has removed the apps. Subscriptions paid through Google’s official billing should auto-cancel and may be refundable under Google’s published policies. Users who paid via UPI or in-app card forms have to chase the third-party processors directly — a meaningfully harder recovery path. ESET has published the full indicator list and developer-package identifiers for hunt teams.