Google Play Scam Apps Hit 7.3M Downloads with Fake Call Logs

Google Play Scam Apps Hit 7.3M Downloads with Fake Call Logs

Briefly

"ESET Research said it found 28 fraudulent Android apps, collectively known as CallPhantom, that claimed to retrieve call logs, SMS records, and WhatsApp call history for any phone number. The apps had been downloaded more than 7.3 million times before Google removed them from Google Play. A Google Play scam sold users the fantasy of peeking at someone else's call history. The records were fake, but the payments were real."

"“Unsurprisingly, our analysis showed that the 'call history' data provided by this app is entirely fabricated,” Štefanko said. The app generated random phone numbers and paired them with fixed names, call times, and call durations embedded in the code. Screenshots helped sell the illusion. In one Google Play listing, the app appeared to show call-history results as proof of functionality, but ESET researcher Lukáš Štefanko said the records were invented."

"The app names did much of the work. Listings such as “Call History of Any Number” made the offer instantly understandable, packaging access to private records as a simple mobile utility. The listings also had warning signs in plain view. Victims left negative reviews accusing the apps of scamming them, while some glowing reviews appeared to be fake. The store pages had just enough polish to make the scam look worth trying."

"Some CallPhantom apps teased users with partial results before asking them to pay for the full history. Others asked for an email address where the records would be sent before requesting payment. The case is a reminder that scam apps do not need sophisticated hacking tools to reach users at scale. CallPhantom relied on a familiar app-store setting, an invasive-sounding service, and a payment prompt."