Fake call apps expose Play Store gaps

Fraudulent Android apps promising private call records for any phone number drew more than 7.3 million downloads on Google Play before being removed, exposing fresh weaknesses in app-store screening, digital payments oversight and consumer protection around subscription fraud.

The 28 apps, tracked under the name CallPhantom, advertised access to call histories, SMS records and WhatsApp call logs, a service they could not legitimately provide. Users were asked to pay before seeing the full results, but the information displayed after payment was fabricated through randomised numbers, fixed names, preset call times and embedded templates rather than retrieved from any telecom or messaging database.

Several of the apps appeared to target users in India and the wider Asia-Pacific region, with many interfaces preselecting the +91 country code and offering UPI-based payments. One app, “Call History of Any Number”, was published under the misleading developer name “Indian gov. in”, despite having no link to any government body. That branding gave the scam an appearance of official backing while pushing users towards paid access to non-existent data.

The deception followed two broad patterns. One group of apps generated partial fake call logs before payment, creating the impression that genuine records had already been found. A second group asked users to enter an email address, claimed the results would be sent later, and then directed them towards subscription screens or one-off payments. Both models relied on the same false premise: that an ordinary consumer app could reveal the communications history of any number without consent, carrier access or lawful authorisation.

Payment handling made the operation more damaging for victims. Some apps used Google Play’s billing system, which at least placed subscriptions inside the platform’s standard refund and cancellation framework. Others routed payments through third-party UPI links or embedded card checkout forms inside the app. Those methods placed transactions outside Google’s usual billing controls, leaving victims dependent on banks, payment apps or developers for refunds. Google Play rules require developers selling in-app digital goods or services to use the platform’s billing system unless a specific exemption applies.

The case also raised questions about how apps making impossible claims passed store checks. Google Play’s policy bars apps from misrepresenting functionality, claiming features they cannot perform, or falsely suggesting affiliation with governments or established entities. Separate rules restrict access to SMS and call log permission groups because such data is considered high-risk and sensitive. CallPhantom apps did not need genuine access to those logs to cause harm; the fraud worked by pretending such access was available and monetising that claim.

The apps were removed after the findings were reported to Google through the App Defense Alliance channel. Subscriptions purchased through Google Play billing were cancelled when the apps left the store, but purchases made through external payment routes remained more difficult to reverse. The episode highlights a persistent challenge for app marketplaces: scams can cause financial loss without necessarily behaving like conventional malware, stealing files or exfiltrating credentials.

CallPhantom exploited curiosity, mistrust and the demand for surveillance-like services. The apps’ marketing suggested that users could check a partner, employee, unknown caller or rival number, turning privacy invasion into a paid feature. That pitch was legally and technically implausible. Telecom call records are protected data, WhatsApp call histories are not publicly searchable, and SMS logs cannot be lawfully retrieved from another person’s phone through a consumer utility downloaded from an app store.

The scale of downloads shows how fraudsters can use simple social engineering rather than sophisticated malware to reach millions. Fake screenshots, partial previews, official-sounding names and low-cost weekly plans can reduce suspicion long enough for users to pay. Subscription models add another layer of risk because small recurring charges may go unnoticed, especially when victims delete the app but fail to cancel the payment agreement.

Google faces the task of tightening review checks for apps that make unverifiable claims about sensitive personal data. Developers advertising access to call logs, messages or private records could face stricter scrutiny before publication, particularly when they combine such claims with subscriptions or external payment flows. Stronger checks on developer names that imply state affiliation would also reduce the credibility of impersonation-based scams.