Android users looking for “call history of any number” apps were pulled into a paid scam instead of a monitoring tool. ESET researchers say they found 28 CallPhantom apps in Google Play that promised call logs, SMS records, or WhatsApp call history for a chosen phone number, but delivered fabricated data after payment. Newer Android banking threats such as TrickMo.C show the same mobile-trust problem from another angle: once a phone is compromised, it can be used not only for OTP theft but also as a proxy node for fraud activity.
The cluster is notable because it did not need classic malware behavior to cause damage. ESET says the apps collectively reached more than 7.3 million downloads before Google removed them after ESET’s report. Some used Google Play subscriptions, while others pushed users to third-party payment apps or in-app card forms, making refunds and charge disputes more complicated.
That makes CallPhantom a useful example of scamware: the app may not need invasive permissions, keylogging, or device takeover if the promise itself convinces the victim to pay. For ordinary users, the practical lesson is sharper than “avoid suspicious apps.” A consumer Android app cannot lawfully retrieve another person’s carrier call records or private WhatsApp calling history just because a phone number was entered. If an app claims that it can, the claim is either a scam, an attempt to normalize spyware-like behavior, or both.
Why the CallPhantom Trick Worked
ESET’s analysis shows a simple but effective workflow. The apps presented themselves as utilities for retrieving communications history. Some had India’s +91 country code preselected and supported UPI-style payments, which suggests a strong focus on Indian and Asia-Pacific users. After the user entered a number or email address, the app produced partial “results,” asked for payment, or claimed that a report would be delivered later.
The important detail is what happened behind the screen. ESET found that the supposed call-history results were not retrieved from any real telecom, SMS, or WhatsApp source. In one cluster, names, country codes, templates, and fixed-looking records were embedded in the app and combined with randomly generated phone numbers. In another flow, the user was asked to pay before any “report” would supposedly arrive by email. Either way, the paid output was not evidence; it was generated theater.
This is why download counts and polished screenshots are weak trust signals. A fraudulent app can survive long enough to collect many installs if the pitch is emotionally strong: curiosity, suspicion, relationship conflict, or the hope of checking another person’s activity. The same pressure appears in other mobile scams, including malicious or deceptive apps spread around messaging platforms; Gridinsoft has seen that pattern before in malicious WhatsApp mod campaigns and large Android app abuse cases.
For anyone who installed a similar app, the first decision is financial, not technical. Open Google Play and check Payments & subscriptions for active subscriptions from unfamiliar apps. If the charge went through Google Play billing, cancel the subscription from the Play Store and request a refund through Google’s process if the purchase is still eligible. If the payment was made through a third-party payment app or a card form inside the app, treat it like a direct payment to an unknown merchant: contact the bank or payment provider, dispute the charge if appropriate, and monitor the card for follow-up attempts.
The second decision is data exposure. Even if CallPhantom-style apps do not need intrusive permissions to run the scam, users may still have typed a phone number, email address, payment details, or other personal context into the app. Remove the app, review Android permissions, revoke any notification access or accessibility access if granted, and check whether the same developer name appears under other installed apps. If the app asked for an email address to send a “report,” watch that inbox for related payment, refund, or support scams.
The cleanest detection rule is blunt: any public app that sells another person’s call, SMS, or WhatsApp history by phone number should be treated as fraudulent. Legitimate parental controls, enterprise mobile management, and account recovery tools work through device ownership, account consent, carrier processes, or administrator enrollment. They do not magically extract private communication records for any number typed into a search box.
CallPhantom also overlaps with phone-scam behavior more broadly. People who search for caller identity, number history, or suspicious call details are often already worried, which makes them easier to push into a paid “answer.” If the problem is unwanted calls, use blocking and carrier-level reporting instead of apps that promise private records; Gridinsoft’s guide on blocking scam likely calls on iPhone and Android is the safer route.
The broader takeaway is that mobile scams no longer need to look like crude phishing pages. A real Play Store listing, a subscription screen, and fake sample results can be enough to convert curiosity into recurring payments. The best defense is to ask what real-world authority the app would need to deliver its promise. If the answer would require access to a telecom provider, a private messaging platform, or another person’s account, a random Android utility is not a shortcut. It is the bait.
