Fake Call History Apps Hit Google Play: 7.3M Downloads and a Clear Privacy Lesson

ESET researchers reported a group of fraudulent Android apps, which they call CallPhantom, that appeared on the official Google Play Store and claimed to provide call history, SMS records, or WhatsApp call logs for any phone number. The Hacker News reported that 28 apps tied to the activity collectively reached more than 7.3 million downloads before being removed.

The promise was the hook: type in a number, pay a subscription or fee, and supposedly receive private call data. According to ESET, users did not get real records. They received fabricated information, while the apps collected payments through Google Play billing, third-party UPI apps, or in-app card forms.

This story is not only about financial fraud. It also shows how easily privacy-invasive promises can be packaged as normal mobile apps. An app that claims it can reveal another person's call logs should immediately raise a red flag: if the claim were real, it would be a serious privacy abuse; if it is fake, it is likely a scam.

The campaign also undercuts the idea that the official app store alone is enough of a safety check. Store review helps, but users still need to look at developer reputation, permissions, reviews, payment prompts, and whether the app's core promise sounds legal or realistic.

If you installed a call-history lookup app, phone tracker, SMS viewer, or similar tool, remove it unless you can verify it is legitimate and necessary. Check active subscriptions in Google Play, review recent payments, and contact your card provider or payment app if you see charges you did not intend to keep.

Then do the basic cleanup: update Android and Google Play services, run Play Protect, review app permissions for contacts, phone, SMS, notification access, accessibility services, and VPN profiles, and remove apps you do not recognise. Be especially cautious with apps that ask for payment before showing proof that the feature works.

A reputable VPN is useful on public Wi-Fi and can reduce what local networks, ISPs, and hotspots learn about your browsing. It is part of a sensible mobile privacy stack, especially when travelling or using networks you do not control.

But a VPN cannot make a scam app honest. If an app tricks you into paying, asks for invasive permissions, or makes impossible promises about accessing someone else's phone records, the risk is happening at the app and account layer. The VPN protects the network connection; it does not vet the business model behind an app.

The biggest lesson is simple: be sceptical of apps that sell access to other people's private data. Real privacy tools should reduce exposure, explain limitations, and respect consent. They should not promise secret access to call logs or messages.

For normal users, the safer path is boring but effective: install fewer apps, avoid miracle trackers, use unique passwords and MFA, keep a trustworthy VPN for hostile networks, and pick security tools from companies with clear ownership, support, and independent scrutiny.