{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/callphantom/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Google Play"],"_cs_severities":["medium"],"_cs_tags":["android","scam","callphantom","fraud"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eESET researchers uncovered 28 fraudulent Android apps on Google Play, collectively named CallPhantom, that falsely claim to provide call logs, SMS records, and WhatsApp call history for any phone number. These apps, promising access to private information, garnered over 7.3 million downloads before being removed from the Google Play store on December 16, 2025. CallPhantom apps primarily targeted Android users in India and the broader Asia-Pacific region, often preselecting India’s +91 country code and supporting UPI payment systems. The apps aimed to exploit users\u0026rsquo; curiosity by offering insight into private information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUsers search for call history apps on the Google Play store.\u003c/li\u003e\n\u003cli\u003eUsers download a CallPhantom app, enticed by seemingly functional screenshots and descriptions.\u003c/li\u003e\n\u003cli\u003eThe app requests payment or subscription to unlock access to call history data.\u003c/li\u003e\n\u003cli\u003eUsers pay via Google Play\u0026rsquo;s billing system, third-party UPI apps, or directly via payment card forms within the app.\u003c/li\u003e\n\u003cli\u003eThe app generates random phone numbers, names, call times, and durations or requests an email address.\u003c/li\u003e\n\u003cli\u003eThe app presents fake call history data or promises to send call history data to the provided email address.\u003c/li\u003e\n\u003cli\u003eUsers discover that the data is fabricated and that they have been scammed.\u003c/li\u003e\n\u003cli\u003eVictims leave negative reviews on the Google Play store.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe CallPhantom apps, downloaded over 7.3 million times, scammed Android users by charging them for fabricated call history data. Victims paid for subscriptions ranging up to US$80, receiving randomly generated data or nothing in return. The fraudulent apps bypassed Google Play’s official billing system in some instances, complicating refund efforts for affected users. The apps have been removed from the Google Play Store but the financial impact on affected users remains.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for installation of apps matching the CallPhantom naming scheme using a YARA rule (reference the file SHA-1 hashes listed in the original report).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect connections to Firebase Realtime Database, from which some CallPhantom apps fetched third-party payment URLs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect suspicious applications that generate and display random contact data after payment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T08:51:19Z","date_published":"2026-05-07T08:51:19Z","id":"/briefs/2026-05-callphantom-android-scam/","summary":"ESET researchers discovered 28 fraudulent Android apps, named CallPhantom, on Google Play that falsely claim to provide call logs for any phone number in exchange for payment, generating random data or requesting email addresses and amassing over 7.3 million downloads before being removed.","title":"CallPhantom Android Apps Falsely Promise Call History for Payment","url":"https://feed.craftedsignal.io/briefs/2026-05-callphantom-android-scam/"}],"language":"en","title":"CraftedSignal Threat Feed — Callphantom","version":"https://jsonfeed.org/version/1.1"}