There is no such thing as a app that allows you to pull up another person’s name historical past. There by no means has been, and there nearly actually by no means will probably be — carriers don’t expose that knowledge, and no third-party developer has the entry required to retrieve it. This isn’t a gray space; it’s merely not potential. And but, 7.3 million individuals, in response to welivesecurity have downloaded apps that claimed to do precisely that.
Safety researchers at ESET spent months untangling a sprawling household of 28 fraudulent Android apps they collectively dubbed CallPhantom — apps that promised customers a window into anybody’s telephone exercise: name logs, SMS information, even WhatsApp historical past. Enter a quantity, pay a small payment, and the secrets and techniques of whoever you had been trying up would supposedly come spilling out. What really got here out was fiction — random telephone numbers dressed up with hardcoded names and timestamps, generated by the app itself, designed to look simply convincing sufficient to look actual. The payoff is that customers solely noticed this faux knowledge after they’d already paid. That sequencing wasn’t unintentional.
Google Play Retailer had a critical blind spot right here
All 28 apps sat on the Google Play Retailer lengthy sufficient to build up hundreds of thousands of downloads. One in every of them was revealed beneath the title “Indian gov.in,” a developer deal with implying authorities legitimacy it had no proper to assert. A number of had assessment sections stuffed with customers explicitly writing that they’d been scammed, and people warnings coexisted with clusters of suspiciously enthusiastic five-star opinions that saved the rankings trying respectable.
ESET flagged the complete set to Google in December 2025, and the apps had been eliminated. However the removing got here from an exterior report, not from Google catching one thing itself. For a platform that has invested closely in automated menace detection and the App Protection Alliance framework, letting 28 variants of the identical rip-off — all promising the identical technically not possible characteristic — accumulate hundreds of thousands of downloads is a big hole.
Some apps made issues worse by bypassing Google’s cost infrastructure fully, routing customers to third-party UPI transactions or to direct card entry fields embedded within the app. That’s a violation of Play Retailer coverage, nevertheless it additionally means Google can’t situation refunds to these customers. Anybody who paid outdoors the official billing system has to chase down the cost supplier themselves, or the builders, who, it goes with out saying, are usually not notably motivated to assist.
The apps labored as a result of the pitch was irresistible
The extra uncomfortable a part of this story is what drove 7.3 million downloads within the first place. These apps didn’t provide cloud storage or a brand new strategy to edit images. They supplied one thing individuals really wished badly sufficient to pay for: the flexibility to spy on somebody — a associate, an ex, an adolescent, or a enterprise contact. Regardless of the cause, there was clearly a big and prepared viewers for the concept.
The apps leaned into that want with ruthless precision. They preselected India’s +91 nation code by default and supported UPI funds, which alerts that the scammers understood their goal demographic effectively. Subscription tiers ranged from a couple of euros per week to $80 a 12 months, giving customers choices that felt like a reliable service and catered to completely different wants. One app, when a person tried to exit with out paying, despatched a faux push notification styled to appear like an e-mail had simply arrived with the outcomes — a last-ditch nudge that led straight again to the paywall.
It labored as a result of curiosity is a strong factor, and the apps had been designed by individuals who understood that. Strip away the technical scaffolding and what you could have is a really previous rip-off: cost somebody for one thing they desperately need, give them a plausible-looking nothing, and depend on embarrassment to maintain them from complaining too loudly.
For anybody caught up on this, subscriptions processed via Google Play’s official system might be canceled — and probably refunded — via the Play Retailer’s cost settings. All the things else is a more durable dialog with whoever processed the cost.
