Skip to content
.ca
sign in
5 minmedium

Fake call logs, real payments: How CallPhantom tricks Android users

ESET researchers discovered a cluster of 28 fraudulent Android applications, dubbed CallPhantom, that accumulated over 7.3 million downloads on Google Play. These apps deceive users by falsely claiming to retrieve call and message logs for arbitrary phone numbers, instead presenting hardcoded, randomly generated data to extort subscription payments via Google Play billing, UPI, or direct card entry.

Conf:highAnalyzed:2026-05-07Google

Authors: ESET Research

ActorsCallPhantom
Android ScamCallPhantomFleecewareGoogle Play

Source:ESET

IOCs · 10

Detection / HunterGoogle

What Happened

Security researchers found 28 scam apps on the Google Play Store that were downloaded over 7.3 million times. These apps, targeting mostly Android users in India and the Asia-Pacific region, falsely promised to show the call and message history of any phone number. In reality, they just made up fake data to trick people into paying for expensive subscriptions. Google has since removed these apps from the store. Users who downloaded them should cancel any associated subscriptions and request refunds through Google Play or their payment provider.

Key Takeaways

  • ESET identified 28 fraudulent Android apps dubbed CallPhantom on Google Play with over 7.3 million downloads.
  • The apps falsely claim to retrieve call, SMS, and WhatsApp logs for any number, instead generating fake data using hardcoded templates.
  • Scammers monetize the apps via subscriptions, third-party UPI payments, and direct credit card forms, often bypassing Google Play's billing policies.
  • Deceptive tactics include fake email notifications to trick users into paying for the fabricated data.

Affected Systems

  • Android OS
  • Google Play Store users (primarily in India and Asia-Pacific)

Attack Chain

Users download the CallPhantom app from the Google Play Store, lured by false promises of viewing call and message logs for any number. Upon launching, the app either displays a fabricated preview of call logs using hardcoded names and random numbers, or prompts the user for an email address. To view the full logs or receive the email, the user is forced to pay a subscription fee via Google Play billing, a third-party UPI link fetched from a Firebase C2, or a direct credit card form. If the user attempts to exit without paying, the app displays deceptive notifications mimicking email alerts to coax them back into the payment flow.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but lists file hashes, package names, and network IOCs for identifying the fraudulent apps.

Detection Engineering Assessment

EDR Visibility: Low — EDR is typically not deployed on personal mobile devices where these apps are downloaded. Network Visibility: Medium — Network traffic to the identified Firebase C2 domains can be monitored on corporate Wi-Fi or via mobile network gateways. Detection Difficulty: Moderate — Relies on MDM to spot specific malicious package names or network monitoring to catch Firebase C2 traffic, which blends with legitimate Firebase usage.

Required Log Sources

  • Mobile Device Management (MDM) app inventory
  • DNS query logs
  • Firewall traffic logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Mobile devices on the corporate network are communicating with known CallPhantom Firebase C2 domains.DNS query logs, Firewall traffic logsCommand and ControlLow (if matching specific full domain names, though Firebase itself is highly prevalent)

Control Gaps

  • Lack of MDM on BYOD devices
  • Google Play Store app vetting bypass

Key Behavioral Indicators

  • Presence of specific Android package names (e.g., com.pixelxinnovation.manager)
  • Network connections to specific Firebase Realtime Database instances

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Uninstall any identified CallPhantom apps from mobile devices.
  • Cancel any active subscriptions associated with these apps via the Google Play Store or third-party payment providers.

Infrastructure Hardening

  • Block known CallPhantom Firebase C2 domains on corporate network firewalls and DNS filters.

User Protection

  • Implement Mobile Device Management (MDM) to restrict the installation of unapproved applications on corporate-owned devices.

Security Awareness

  • Educate users on the technical impossibility of apps retrieving third-party call logs without authorization.
  • Warn users about the risks of entering credit card information directly into unverified mobile applications.

MITRE ATT&CK Mapping

  • T1437.001 - Application Layer Protocol: Web Protocols
  • T1643 - Generate Traffic from Victim

Additional IOCs

  • Domains:
    • call-history-ecc1e-default-rtdb[.]firebaseio[.]com - Firebase C&C domain used by CallPhantom
    • chh1-ac0a3-default-rtdb[.]firebaseio[.]com - Firebase C&C domain used by CallPhantom
  • File Hashes:
    • 87F6B2DB155192692BAD1F26F6AEBB04DBF23AAD (SHA1) - Malicious APK (com.pixelxinnovation.manager) with 1M+ downloads
    • FC3BA2EDAC0BB9801F8535E36F0BCC49ADA5FA5A (SHA1) - Malicious APK (com.app.call.detail.history) with 1M+ downloads
    • 799BB5127CA54239D3D4A14367DB3B712012CF14 (SHA1) - Malicious APK (all.callhistory.detail)
  • Other:
    • calldetaila.ndcallhisto.rytogetan.ynumber - Malicious Android package name
    • com.pixelxinnovation.manager - Malicious Android package name
    • com.app.call.detail.history - Malicious Android package name