There is no app that lets you pull up someone else’s call history. There never has been, and there almost certainly never will be — carriers don’t expose that data, and no third-party developer has the access required to retrieve it. This is not a grey area; it is simply not possible. And yet, 7.3 million people, according to welivesecurity have downloaded apps that claimed to do exactly that.
Security researchers at ESET spent months untangling a sprawling family of 28 fraudulent Android apps they collectively dubbed CallPhantom — apps that promised users a window into anyone’s phone activity: call logs, SMS records, even WhatsApp history. Enter a number, pay a small fee, and the secrets of whoever you were looking up would supposedly come spilling out. What actually came out was fiction — random phone numbers dressed up with hardcoded names and timestamps, generated by the app itself, designed to look just convincing enough to seem real. The payoff is that users only saw this fake data after they’d already paid. That sequencing wasn’t accidental.
Google Play Store had a serious blind spot here
All 28 apps sat on the Google Play Store long enough to accumulate millions of downloads. One of them was published under the name “Indian gov.in,” a developer handle implying government legitimacy it had no right to claim. Several had review sections full of users explicitly writing that they’d been scammed, and those warnings coexisted with clusters of suspiciously enthusiastic five-star reviews that kept the ratings looking respectable.
ESET flagged the full set to Google in December 2025, and the apps were removed. But the removal came from an external report, not from Google catching something itself. For a platform that has invested heavily in automated threat detection and the App Defense Alliance framework, letting 28 variants of the same scam — all promising the same technically impossible feature — accumulate millions of downloads is a significant gap.
Some apps made things worse by bypassing Google’s payment infrastructure entirely, routing users to third-party UPI transactions or to direct card entry fields embedded in the app. That’s a violation of Play Store policy, but it also means Google can’t issue refunds to those users. Anyone who paid outside the official billing system has to chase down the payment provider themselves, or the developers, who, it goes without saying, are not particularly motivated to help.
The apps worked because the pitch was irresistible
The more uncomfortable part of this story is what drove 7.3 million downloads in the first place. These apps didn’t offer cloud storage or a new way to edit photos. They offered something people actually wanted badly enough to pay for: the ability to spy on someone — a partner, an ex, a teenager, or a business contact. Whatever the reason, there was clearly a large and willing audience for the idea.
The apps leaned into that desire with ruthless precision. They preselected India’s +91 country code by default and supported UPI payments, which signals that the scammers understood their target demographic well. Subscription tiers ranged from a few euros per week to $80 a year, giving users options that felt like a legitimate service and catered to different needs. One app, when a user tried to exit without paying, sent a fake push notification styled to look like an email had just arrived with the results — a last-ditch nudge that led straight back to the paywall.
It worked because curiosity is a powerful thing, and the apps were designed by people who understood that. Strip away the technical scaffolding and what you have is a very old scam: charge someone for something they desperately want, give them a plausible-looking nothing, and count on embarrassment to keep them from complaining too loudly.
For anyone caught up in this, subscriptions processed through Google Play’s official system can be canceled — and potentially refunded — through the Play Store’s payment settings. Everything else is a harder conversation with whoever processed the payment.
