ESET Uncovers 'CallPhantom' Fleeceware Campaign on Google Play with 7.3 Million Downloads

Fraudulent 'CallPhantom' Apps on Google Play Scammed 7.3 Million Users

MEDIUM
May 8, 2026
5m read
Mobile SecurityMalwarePhishing

Impact Scope

People Affected

7.3 million downloads

Industries Affected

Other

Geographic Impact

India (regional)

Related Entities

Organizations

ESET Google

Products & Tech

Google Play Store

Other

CallPhantom

MITRE ATT&CK Techniques

T1475Initial Access

Legitimate Software

T1036Defense Evasion

Masquerading

Full Report

Executive Summary

Security researchers at ESET have uncovered a large-scale fleeceware campaign on the Google Play Store, which they have dubbed "CallPhantom." The operation involved 28 malicious applications that successfully duped over 7.3 million users into downloading them. These apps, primarily targeting users in India and the Asia-Pacific region, lured victims with the false promise of being able to retrieve the call history and messages of any phone number. To access this non-existent service, users were tricked into paying for a subscription. The apps would then display fake, randomly generated data. The apps have since been removed by Google, but the campaign's success highlights the ongoing threat of fraudulent apps on official marketplaces.

Threat Overview

The CallPhantom campaign is a classic example of fleeceware—apps that are not technically malware (they don't steal data or damage the device) but use deceptive practices to trick users into paying for worthless or non-existent services. The apps' core deception was the claim that they could provide access to private call and message logs, a technically infeasible feature for a third-party app. To enhance their credibility, at least one app masqueraded as an official government application, using the developer name "Indian gov.in." This social engineering tactic, combined with the allure of the promised functionality, led to millions of downloads and subsequent fraudulent charges to users.

Technical Analysis

The CallPhantom apps are not sophisticated from a malware perspective but are effective as a scam. Their operation can be broken down into a few key steps:

  • Initial Access: The apps were distributed through the official Google Play Store, leveraging the trust users place in the platform (T1475 - Legitimate Software).
  • Execution: The user willingly downloads and installs the application.
  • Defense Evasion: By using a deceptive but seemingly legitimate developer name ("Indian gov.in"), the app creators engaged in masquerading (T1036 - Masquerading) to evade user suspicion.
  • Impact: The primary impact is financial fraud. The apps trick users into subscribing to a service that does not work, causing financial loss (T1488 - Financial Theft). The apps generate random, fake data to maintain the illusion of functionality for a short period.

Impact Assessment

The direct impact is financial loss for the 7.3 million users who downloaded and potentially paid for subscriptions to these fraudulent apps. While the individual financial loss may be small, the collective profit for the scammers is substantial. The incident also damages user trust in the Google Play Store's vetting process and highlights the difficulty in policing app marketplaces for scams that do not involve traditional malware. For Google, it represents a reputational challenge and reinforces the need for more stringent review processes to detect and remove fleeceware.

IOCs — Directly from Articles

The source articles mentioned the names of some of the fraudulent apps, which can be considered IOCs:

Type
file_name
Value
Call history : any number deta
Description
Name of one of the fraudulent Android applications.
Type
file_name
Value
Call History of Any Number
Description
Name of another fraudulent Android application.

Cyber Observables — Hunting Hints

For mobile device management administrators and users, the following are red flags for fleeceware and other malicious apps:

Type
string_pattern
Value
App description making impossible claims
Description
Be suspicious of any app that claims to be able to access private data from other users' phones, like call logs or WhatsApp messages.
Type
string_pattern
Value
Overwhelmingly negative reviews describing a scam
Description
Check user reviews. While some can be fake, a large number of reviews complaining about fake functionality or unwanted charges is a major red flag.
Type
other
Value
Vague or no privacy policy
Description
Legitimate applications will have a clear and accessible privacy policy. The absence of one is suspicious.
Type
other
Value
Excessive permission requests
Description
Be wary of an app that requests permissions that are not related to its stated function.

Detection & Response

  • Detection: For organizations, Mobile Device Management (MDM) or Mobile Threat Defense (MTD) solutions can be used to blacklist known fraudulent applications. These solutions can scan managed devices for the presence of these apps and alert administrators.
  • Response: Instruct users who have installed these apps to uninstall them immediately. They should also check their Google Play subscription history for any active subscriptions from the app and cancel them. Users should be advised to report the app to Google and consider disputing the charges with their payment provider.

Mitigation

  • Strategic: User education is the most powerful mitigation against fleeceware (M1017 - User Training). Teach users to be highly skeptical of apps that make claims that sound too good to be true. Train them to read reviews, check permissions, and verify the developer's reputation before installing.
  • Tactical: For organizations, implement an MDM policy that only allows the installation of applications from an approved list (allowlisting). This prevents users from installing unvetted apps from the public store. Encourage users to regularly review their app subscriptions in the Google Play Store and cancel any they do not recognize or no longer use.

Timeline of Events

1
May 8, 2026
This article was published

MITRE ATT&CK Mitigations

User Training

M1017mobile

The primary defense against fleeceware is educating users to be skeptical of app claims and to perform due diligence before installing.

Limit Software Installation

M1033enterprise

Using MDM solutions to create an allowlist of approved applications for corporate devices can prevent the installation of fraudulent software.

D3FEND Defensive Countermeasures

Executable Allowlisting

D3-EALMaps to MITREM1033
D3FEND

In a corporate environment, the most effective way to prevent incidents like CallPhantom is through Executable Allowlisting, managed by a Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solution. Instead of allowing users to install any app from the public Google Play Store, the organization should create a curated enterprise app store containing only vetted, approved applications required for business functions. This policy would prevent employees from downloading and installing the 28 fraudulent CallPhantom apps, completely neutralizing the threat on managed devices. This shifts the security model from a reactive, user-dependent approach to a proactive, policy-enforced one.

Sources & References

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads
The Hacker News (thehackernews.com) May 8, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

FleecewareAndroidGoogle PlayScamMobile SecurityESETCallPhantom

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.