Andy Walker / Android Authority
TL;DR
- Researchers found dozens of fraudulent Google Play apps that promised call, SMS, and WhatsApp history for any number.
- The apps had more than 7.3 million combined downloads before Google removed them.
- The apps charged users and returned fake data.
Google Play is supposed to be the safer place to get Android apps, but not every app on the store deserves your trust, especially if you’re seeking them out for potentially nefarious purposes. A newly detailed scam shows how far a dubious app can go before it’s stopped, with 28 apps on Google Play racking up more than 7.3 million downloads by promising access to other people’s call logs, SMS records, and WhatsApp call history.
Have you encountered a scam ad on Android?
1066 votes
ESET researchers detailed the scam in a WeLiveSecurity report, where they collectively refer to the apps as “CallPhantom.” The apps differed in appearance, but the trick was the same: you entered a phone number, paid to unlock the supposed communication records, and received fake data in return.
Don’t want to miss the best from Android Authority?
The researchers found that some apps generated random phone numbers and paired them with names and call details already embedded in the code. Others asked users for an email address where the ‘retrieved’ history would supposedly be sent. Either way, ESET says the apps didn’t request intrusive permissions or have any real ability to access the requested data.
Let’s not ignore the elephant in the room here. Nobody deserves to be scammed, but this is an unusual case where the bait itself was pretty dubious. The apps weren’t promising cheaper wallpapers or a better weather widget — they claimed to offer access to another person’s private communication history.
The payment side also made things messier. Some apps used Google Play’s official billing system, potentially allowing some victims to claim refunds. But ESET says others pushed users toward third-party payment apps or direct card checkout forms inside the app. In one case, when the users tried to leave the app, it showed deceptive alerts styled like new emails that claimed the call history results had arrived, then sent users back to a subscription screen.
ESET reported the 28 apps to Google on December 16, and all of them had been removed from Google Play by the time the report was published. While sideloading might get more flak when it comes to scam protection, we’re reminded that the Play Store can still give bad apps a huge audience once they slip through.
Thank you for being part of our community. Read our Comment Policy before posting.