What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Breach

0 sources verified·4 min read

By Lyrie Threat Intelligence·5/8/2026

CallPhantom: 7.3M Scammed—How 28 Fake Apps Exploited Google Play's Trust Model

TL;DR

ESET researchers uncovered CallPhantom, a coordinated scam across 28 fraudulent Android apps claiming to retrieve call history, SMS records, and WhatsApp logs for any phone number. With 7.3 million cumulative downloads targeting India and Asia-Pacific users, these apps generated entirely fake data while charging subscription fees up to $80. Google removed all apps after ESET's December 2025 report.

What Happened

On May 7, 2026, ESET disclosed a large-scale fraud campaign spanning 28 deceptive Android applications available on Google Play Store. The apps falsely promised users access to call histories, SMS records, and WhatsApp call logs for any phone number—a technically impossible capability designed purely to exploit curiosity and manipulate victims into paying.

Key Facts:

Scale: 7.3 million combined downloads (largest app: 3+ million downloads)
Geographic Focus: India and broader Asia-Pacific region
Discovery: November 2025 (identified in Reddit post); reported to Google Dec. 16, 2025
Status: All 28 apps removed from Google Play as of publication
Subscription Prices: €5 to $80 USD depending on app and package tier

The apps targeted Android users by combining:

1. Fake app developer names (including "Indian gov.in" impersonation)

2. Positive (fabricated) reviews

3. Screenshot demonstrations of fake call history data

4. Multi-language support across India and Southeast Asia

Technical Details

Payload Architecture:

CallPhantom apps employed simple but effective deception. The researchers identified two primary clusters:

Cluster 1 - Hardcoded Data Generation:

Apps embedded fixed names, country codes, and call templates directly in their source code, then generated random phone numbers and timestamps. Users saw partial "preview" results before payment prompted, triggering the fake call history display.

Cluster 2 - Email Delivery Scam:

Apps requested the user's email address, promising call logs would be delivered post-payment. No data was generated until the victim subscribed, creating a sunk-cost manipulation.

Payment Evasion:

The apps implemented three payment methods to maximize conversion and complicate refund efforts:

1. Google Play's official billing system (covered by Google's refund protection)

2. Third-party UPI apps (Google Pay, PhonePe, Paytm) — circumventing Google's refund policy

3. Embedded card checkout forms — direct processing, hardcoded or fetched dynamically from Firebase, allowing operators to change payment accounts on-the-fly

Behavioral Manipulation:

One cluster deployed deceptive notifications: when users exited without paying, fake "email received" alerts would trigger, redirecting victims directly to subscription screens.

Permissions & Capabilities:

Notably, CallPhantom apps required no invasive permissions and contained no actual functionality to retrieve real call, SMS, or WhatsApp data. The entire operation was psychological exploitation—leveraging social curiosity and false legitimacy.

Lyrie Assessment

Why This Matters to Security Leaders:

1. Platform Trust Erosion: Google Play's position as the "trusted" app store has demonstrably failed at scale—7.3 million users downloaded known-fraudulent software. This signals a gap in Google's vetting and ongoing monitoring that extends beyond app store review processes.

2. Payment System Abuse: The coordinated use of third-party UPI integrations and Firebase dynamic URL fetching shows attackers actively evading Google's payment policy enforcement. Real-time configuration updates mean a single operator can pivot multiple apps' payment accounts, creating a moving target for law enforcement and refund automation.

3. Identity Spoofing at Platform Level: Impersonating "Indian gov.in" demonstrates how platform policies around developer identity verification remain insufficient. Users have no reliable way to distinguish legitimate government apps from sophisticated fakes.

4. User Psychology as Attack Surface: The deceptive notification tactic (fake email alerts) reveals that social engineering—not malware—remains the primary attack vector in consumer mobile security. Users can be manipulated into paying for nothing through behavioral nudges alone.

5. Refund Policy Gaps: By forcing users through third-party payment channels, CallPhantom operators deliberately created a situation where victims lose Google's refund protection. This represents a documented attack on the consumer protection mechanism itself.

For Defenders:

Monitor app store removals and Google's transparency reports; removals often indicate coordinated fraud patterns not yet widely detected.
User education on technically impossible app claims (e.g., "view any phone's private data") remains underutilized but critical.
Consider payment method enforcement in your organization's BYOD policies—third-party UPI integrations create compliance and financial risk.
APT groups and fraud operators are converging on the same tactics: legitimate-looking apps, social engineering, payment evasion. Your endpoint detection should prioritize behavioral indicators (payment prompts, unusual network destinations) over signature-based flagging.

Recommended Actions

1. For Users: Check Google Play's Subscriptions settings (Profile → Payments & Subscriptions → Subscriptions) and cancel any unfamiliar recurring charges. Request refunds within 48 hours for fraudulent apps using Google Play's official support channel—third-party payments require manual dispute filing.

2. For IT/CISO Teams: Audit BYOD logs for installations of flagged apps (ESET has published the full package name list). Flag users with active subscriptions on any of the 28 CallPhantom apps and initiate user training on app store scams.

3. For App Developers & Platforms: Implement continuous behavioral monitoring post-launch (watching for payment patterns, hardcoded payment redirects, Firebase dynamic config fetches). Update app review rubrics to reject technically impossible claims ("access any phone's private data without authorization").

4. For Google Play: Extend refund protection to third-party payment methods, or enforce payment method whitelist policies with real-time compliance audits. Current approach penalizes legitimate small developers while enabling coordinated fraud operators.

Sources

1. ESET Research: "CallPhantom scam on Google Play" — https://www.eset.com/us/about/newsroom/research/eset-research-callphantom-scam-google-play/

2. WeliveSecurity: "Fake call logs, real payments: How CallPhantom tricks Android users" — https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/

3. Help Net Security: "CallPhantom Android scam reached 7.3 million downloads on Google Play" — https://www.helpnetsecurity.com/2026/05/07/callphantom-android-scam-google-play/

4. The Hacker News: "Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads" — https://thehackernews.com/2026/05/fake-call-history-apps-stole-payments.html

5. GBHackers: "Fake Call History Apps on Google Play Steal Payments, Hit 7.3M+ Downloads" — https://gbhackers.com/fake-call-history-apps-on-google-play/

Lyrie.ai Cyber Research Division