Fraudulent apps on the Google Play Store have tricked millions of Android users into costly subscriptions, cybersecurity experts have revealed. These deceptive applications, which claimed to offer access to call histories for any phone number, were instead a front for financial scams targeting unsuspecting users primarily in India and the Asia-Pacific region.
Widespread Impact of Deceptive Apps
Slovakian cybersecurity firm ESET identified 28 such applications, collectively downloaded over 7.3 million times, that promised users access to call, SMS, and WhatsApp logs. However, after users made payments, they received only fabricated data. ESET named this deceptive campaign CallPhantom, highlighting its extensive reach, with one app alone surpassing 3 million downloads before removal from the Play Store.
Alarmingly, at least one of these apps was falsely marketed under the developer name ‘Indian gov.in’ to create a false sense of security. Once downloaded, users were prompted to make payments for access to fake data, embedded directly into the app’s code. These activities have been ongoing since at least November 2025.
Mechanisms of the Scam
These fraudulent apps employed various payment methods, including Google Play Store subscriptions, third-party payment apps like UPI, and direct credit card entries, the latter two violating Google’s policies. In some instances, exiting the app without payment triggered misleading notifications, drawing users back to subscription screens with false claims of successful data delivery.
The subscription costs varied, ranging between $6 to $80, impacting users who may have been unaware of the scam until their subscriptions were cancelled following the apps’ removal. While Google Play billing subscribers may seek refunds under Google’s policies, those who paid through other means are reliant on external providers or developers for refunds.
Global Context and Future Concerns
The exposure of this fraud coincides with similar malicious campaigns reported by Group-IB, which estimated that $2 million were stolen from Indonesian users through a campaign involving fake tax platform impersonations and other trusted brands. These operations, linked to the GoldFactory threat cluster, utilized phishing and social engineering tactics to distribute malware and facilitate financial theft.
The ongoing threat emphasizes the need for vigilance among users and highlights the importance of cybersecurity measures to prevent further incidents. As these fraudulent activities continue to evolve, users must remain informed and cautious to protect their financial and personal information.
With the potential for such scams to target broader populations, cybersecurity experts urge users to verify the authenticity of applications and remain cautious of unsolicited payment requests, ensuring that their digital interactions remain secure.
