Call Phantom Android App Scam Reaches 7.3 Million Downloads on Google Play Store

Post Views: 1

Scammers Exploit Call Record Curiosity Gap, Pull in Over 7.3 Million Victims

A recent wave of scams targeting Android users has leveraged a widespread interest in accessing call records associated with specific phone numbers.

Malicious Applications on Google Play Store

Researchers have identified a cluster of 28 malicious applications on the Google Play store that exploited this curiosity gap, ultimately pulling in over 7.3 million victims worldwide, primarily in India and the Asia-Pacific region.

“The scam relied on a simple yet effective tactic: advertising access to call histories, SMS records, and call logs for any phone number provided by the user.” – According to researchers

Upon payment, these applications delivered fabricated data drawn from hardcoded lists of names, country codes, timestamps, and call durations. Notably, none of these applications contained code capable of retrieving actual communications data or requested the necessary permissions to do so.

Operational Models and Payment Methods

Two distinct operational models emerged within this campaign. The first cluster of applications generated partial fake results immediately upon installation, prompting victims to pay for access to the remaining information. The second cluster required victims to submit their address before promising to deliver the desired call history, often through fake notifications claiming the report was ready.

Many of the affected applications preselected the +91 country code and integrated Unified Payments Interface (UPI), a popular payment method in India. Reviewers on the Google Play store noted the consistent pattern of users paying for the service and receiving random data with no means of seeking a refund.

Payment Routes and Refunds

Interestingly, some of the applications employed various payment routes to bypass Google’s official billing system. Three primary methods emerged: using Google Play’s official billing system, routing payments through third-party UPI apps, and embedding payment card checkout forms directly into the application interface. The latter two methods contravened Google’s payment policy.

Subscription prices varied across the applications, ranging from approximately $5 to $80, with weekly, monthly, and yearly packages available. However, refunds for subscriptions purchased through these applications fell outside Google’s jurisdiction. Users who purchased through third-party UPI apps or entered card details within the application must seek reimbursement directly from the payment provider or the application developers.

Efforts to Combat Mobile Threats

As part of its efforts to combat mobile threats, ESET partnered with the App Defense Alliance and classified the malicious applications under the Android/CallPhantom detection family. Additionally, researchers mapped the campaign against the MITRE ATT&CK framework, highlighting the use of Firebase Cloud Messaging for command-and-control communication.

This campaign serves as another reminder of the ongoing threat landscape facing Android users, emphasizing the importance of caution when encountering applications that promise sensitive information.