How many users were affected by the CallPhantom apps?

The CallPhantom apps were downloaded over 7.3 million times before being reported and removed from the Google Play Store.

What measures can users take to avoid similar scams?

Users should be cautious of apps requesting payments for services that seem too good to be true, verify the legitimacy of applications before installation, and rely on official app stores and trusted developers.

CallPhantom Scam: Deceptive Android Apps Exploit User Curiosity

ESET uncovers 28 fraudulent Android apps on Google Play, collectively named 'CallPhantom,' deceiving over 7.3 million users with fake call logs.

Published: May 8, 2026

Share this on:

Executive Summary

In November 2025, ESET researchers identified a series of fraudulent Android applications, collectively named 'CallPhantom,' on the Google Play Store. These 28 apps falsely claimed to provide access to call logs, SMS records, and WhatsApp call histories for any phone number. Users were prompted to pay for these services but received only randomly generated, fabricated data. The apps amassed over 7.3 million downloads before being reported to Google and subsequently removed from the store. This incident underscores the persistent threat of deceptive applications exploiting user curiosity and trust. The CallPhantom scam highlights the need for continuous vigilance against fraudulent apps, especially as cybercriminals increasingly target mobile platforms. Users should be cautious of apps requesting payments for services that seem too good to be true and verify the legitimacy of applications before installation.

Why This Matters Now

The CallPhantom incident underscores the evolving tactics of cybercriminals targeting mobile users through deceptive applications. As mobile device usage continues to rise, ensuring the security of app marketplaces and educating users about potential scams is more critical than ever.

Attack Path Analysis

The CallPhantom campaign involved fraudulent Android apps that deceived users into paying for fabricated call logs, SMS records, and WhatsApp call histories. These apps were distributed through the Google Play Store, amassing over 7.3 million downloads. Upon installation, they generated fake data and prompted users for payment, often bypassing official billing systems to complicate refund processes. The apps utilized Firebase Cloud Messaging for command and control, enabling dynamic content updates and payment redirection. While no actual data exfiltration occurred, the financial impact on victims was significant due to unauthorized charges.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

Users downloaded and installed fraudulent CallPhantom apps from the Google Play Store, believing they provided access to call logs and message histories.

Confidence:

High

MITRE ATT&CK® Techniques

Defense Evasion

T1444

Masquerade as Legitimate Application

Defense Evasion

T1406

Obfuscated Files or Information

Persistence

T1577

Compromise Application Executable

Command and Control

T1437.001

Application Layer Protocol: Web Protocols

Impact

T1643

Generate Traffic from Victim

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

Control ID: 6.2

The fraudulent apps exploited vulnerabilities in the app distribution process, leading to unauthorized transactions and potential exposure of cardholder data.

NYDFS 23 NYCRR 500 – Cybersecurity Program

Control ID: 500.02

The incident highlights deficiencies in the cybersecurity program, particularly in monitoring and preventing fraudulent applications that compromise consumer data.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach indicates inadequate ICT risk management, as the fraudulent apps were able to bypass security measures and deceive users into making payments.

CISA ZTMM 2.0 – Applications and Workloads

Control ID: Pillar 3

The incident underscores the need for robust application security controls to prevent malicious applications from compromising user data and financial information.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The fraudulent apps demonstrate a failure in implementing effective risk management measures to detect and prevent malicious software distribution.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Telecommunications

Mobile fraud targeting Android users threatens telecom infrastructure through fraudulent call log apps, compromising customer trust and requiring enhanced mobile security measures.

Financial Services

CallPhantom's payment fraud bypassing official billing systems exposes financial institutions to unauthorized transactions and complicates refund processes for affected customers.

Information Technology/IT

IT sectors face elevated risks from mobile application fraud requiring enhanced app store security, code analysis capabilities, and zero trust frameworks.

Consumer Services

Consumer-facing services vulnerable to fraudulent apps exploiting user curiosity, requiring stronger fraud detection and customer protection measures against mobile scams.

Sources

Fake call logs, real payments: How CallPhantom tricks Android usershttps://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/
Verified

ESET Research uncovers CallPhantom scam on Google Play: Fake logs for real moneyhttps://www.eset.com/us/about/newsroom/research/eset-research-callphantom-scam-google-play/

Verified

CallPhantom: Fraudulent Android apps scam the curioushttps://www.heise.de/en/news/CallPhantom-Fraudulent-Android-apps-scam-the-curious-11286032.html

Verified

Frequently Asked Questions

The CallPhantom scam involved 28 fraudulent Android apps on Google Play that falsely claimed to provide call logs, SMS records, and WhatsApp call histories for any phone number, deceiving users into paying for fabricated data.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is relevant to this incident as it could limit the reach of fraudulent applications by enforcing strict segmentation and controlled egress, thereby reducing the potential blast radius of such attacks.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The CNSF would likely limit the application's ability to interact with other network resources, reducing the potential for further malicious activity.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Zero Trust Segmentation would likely limit the application's access to sensitive resources, reducing the scope of potential privilege escalation.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-West Traffic Security would likely limit the application's ability to communicate with other internal systems, reducing the risk of lateral movement.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Multicloud Visibility & Control would likely limit the application's ability to establish unauthorized command and control channels, reducing the risk of dynamic content updates and payment redirection.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress Security & Policy Enforcement would likely limit the application's ability to transmit data externally, reducing the risk of data exfiltration.

Impact (Mitigations)

The financial impact on victims would likely be reduced due to constrained application behavior and limited unauthorized communications.

Impact at a Glance

Affected Business Functions

Mobile Application Security
User Data Protection
Payment Processing

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

No sensitive user data was exposed; the apps generated fabricated data without accessing real user information.

Recommended Actions

• Implement rigorous app vetting processes to detect and prevent fraudulent applications from entering app stores.
• Enforce strict adherence to official billing systems to ensure transparency and facilitate refund processes.
• Enhance user education on recognizing and avoiding scams that promise access to private information.
• Monitor and analyze app behavior post-installation to identify and mitigate malicious activities promptly.
• Collaborate with cybersecurity organizations to share threat intelligence and improve detection capabilities.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

CallPhantom Scam: Deceptive Android Apps Exploit User Curiosity

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Masquerade as Legitimate Application

Obfuscated Files or Information

Compromise Application Executable

Application Layer Protocol: Web Protocols

Generate Traffic from Victim

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Program

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Applications and Workloads

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Telecommunications

Financial Services

Information Technology/IT

Consumer Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads