{"id":327,"date":"2026-05-08T08:53:20","date_gmt":"2026-05-08T08:53:20","guid":{"rendered":"https:\/\/escudodigital.uy\/index.php\/2026\/05\/08\/how-callphantom-tricks-android-users\/"},"modified":"2026-05-08T08:53:20","modified_gmt":"2026-05-08T08:53:20","slug":"how-callphantom-tricks-android-users","status":"publish","type":"post","link":"https:\/\/escudodigital.uy\/index.php\/2026\/05\/08\/how-callphantom-tricks-android-users\/","title":{"rendered":"How CallPhantom tricks Android users"},"content":{"rendered":"<div>\n<p>There\u2019s an app for everything nowadays\u2026 right? Well, looking up call records for a phone number of choice is <em>not<\/em> one of those things, as potentially millions of Android users found out after paying for app subscriptions promising just that.<\/p>\n<p>The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for <em>any<\/em> phone number. To unlock this supposed feature, users are asked to pay \u2013 but all they get in return is randomly generated data.<\/p>\n<p>Our investigation identified 28 such fraudulent apps available on the Google Play store, cumulatively downloaded more than 7.3 million times. As an App Defense Alliance partner, we reported our findings to Google, which removed all of the apps identified in this report from Google Play.<\/p>\n<blockquote>\n<p><strong>Key points of this blogpost:<\/strong><\/p>\n<ul>\n<li>A new Android scam, CallPhantom, falsely claims to provide access to call logs, SMS records, and WhatsApp call history for any phone number in exchange for payment.<\/li>\n<li>We identified and reported 28 CallPhantom apps on Google Play, cumulatively downloaded more than 7.3 million times.<\/li>\n<li>Some CallPhantom apps sidestep Google Play\u2019s official billing system, complicating victims\u2019 refund efforts.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>Investigation<\/h2>\n<p>In November 2025, we came across a Reddit <a href=\"https:\/\/www.reddit.com\/r\/IndiaTech\/comments\/1on69g4\/guys_look_what_i_found_on_playstore\">post<\/a> discussing an app named Call History of Any Number, found on Google Play. The app, shown in Figure 1, claims that it can retrieve the call history of any phone number supplied by the user. It was published under the developer name <span style=\"font-family: courier new, courier, monospace;\">Indian gov.in<\/span>, but the app has no real association with the Indian government.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. Call History of Any Number app on Google Play\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-1.jpg\" alt=\"Figure 1. Call History of Any Number app on Google Play\" width=\"\" height=\"\"\/><figcaption><em>Figure 1. Call History of Any Number app on Google Play<\/em><\/figcaption><\/figure>\n<p>Unsurprisingly, our analysis showed that the \u201ccall history\u201d data provided by this app is entirely fabricated \u2013 the app generates random phone numbers and matches them with fixed names, call times, and call durations, which were embedded directly in the code, as shown in Figure\u00a02. This fake data is then presented to victims \u2013 but only after payment.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 2. Hardcoded call log data used by the app\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-2.png\" alt=\"Figure 2. Hardcoded call log data used by the app\" width=\"\" height=\"\"\/><figcaption><em>Figure 2. Hardcoded call log data used by the app<\/em><\/figcaption><\/figure>\n<p>A screenshot of the fabricated call history data was even included in the app\u2019s listing, presented as a demonstration of the app\u2019s functionality, as shown in Figure\u00a03.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 3. Screenshots from Google Play seemingly demonstrating the fraudulent app\u2019s functionality; the logs are randomly generated from hardcoded data\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-3.jpg\" alt=\"Figure 3. Screenshots from Google Play\" width=\"\" height=\"\"\/><figcaption><em>Figure 3. Screenshots from Google Play seemingly demonstrating the fraudulent app\u2019s functionality; the logs are randomly generated from hardcoded data<\/em><\/figcaption><\/figure>\n<p>Further research revealed additional, related apps available on the Play Store \u2013 28 CallPhantom apps altogether. We reported the full set of fraudulent apps to Google on December 16<sup>th<\/sup>, 2025. At the time of publication, all the reported apps have been removed from the store.<\/p>\n<p>Despite visual differences, which can be seen in Figure\u00a04 and Figure\u00a05, the purpose of the apps is identical: generate fake communication data and charge victims for access. The table in the <em><a href=\"#Analyzed CallPhantom apps\">Analyzed CallPhantom apps<\/a> <\/em>section lists each app along with its key details, including the download count.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 4. Examples of CallPhantom apps found on the Play Store\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-4.png\" alt=\"Figure 4. Examples of CallPhantom apps found on the Play Store\" width=\"\" height=\"\"\/><figcaption><em>Figure 4. Examples of CallPhantom apps found on the Play Store<\/em><\/figcaption><\/figure>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 5. Examples of CallPhantom initial screens\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-5.jpg\" alt=\"Figure 5. Examples of CallPhantom initial screens\" width=\"\" height=\"\"\/><figcaption><em>Figure 5. Examples of CallPhantom initial screens<\/em><\/figcaption><\/figure>\n<h2>Campaign overview<\/h2>\n<p>The CallPhantom apps we found on Google Play mainly targeted Android users in India and the broader Asia\u2011Pacific region. Many of the apps came with India\u2019s +91 country code preselected and support <a href=\"https:\/\/www.digitalindia.gov.in\/initiative\/unified-payment-interface-upi\/\">UPI<\/a>, a payment system used primarily in India.<\/p>\n<p>The apps had garnered numerous negative reviews, with victims reporting that they were scammed and never received the promised data, as can be seen in Figure\u00a06.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 6. Negative reviews for one of the fraudulent apps\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-6.png\" alt=\"Figure 6. Negative reviews for one of the fraudulent apps\" width=\"\" height=\"\"\/><figcaption><em>Figure 6. Negative reviews for one of the fraudulent apps<\/em><\/figcaption><\/figure>\n<p>It is not clear how the apps were distributed or promoted. Presumably, by seemingly offering insight into private information, the scammers successfully took advantage of people\u2019s curiosity. Combined with a few glowing (fake) reviews, it might have seemed like an intriguing offer.<\/p>\n<h2>CallPhantom overview<\/h2>\n<p>In our investigation, we identified two main clusters of these fraudulent apps.<\/p>\n<p>The apps in the <strong>first cluster<\/strong> contain hardcoded names, country codes, and templates in their code, as shown in Figure\u00a07. These are combined with randomly generated phone numbers and shown to the user as partial \u201cresults\u201d. To view the full (fake) history, the victim has to pay.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 7. Code responsible for generating messages\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-7.png\" alt=\"Figure 7. Code responsible for generating messages\" width=\"\" height=\"\"\/><figcaption><em>Figure 7. Code responsible for generating messages<\/em><\/figcaption><\/figure>\n<p>The apps in the <strong>second cluster<\/strong> ask users to enter an email address where the \u201cretrieved\u201d call history would supposedly be delivered, as seen in the screenshots in Figure\u00a08. No data generation occurs until after payment; users have to pay or subscribe before any email would supposedly be sent.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 8. CallPhantom requests the user\u2019s email address where call logs would supposedly be delivered\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-8.jpg\" alt=\"Figure 8. CallPhantom requests the user\u2019s email address\" width=\"\" height=\"\"\/><figcaption><em>Figure 8. CallPhantom requests the user\u2019s email address where call logs would supposedly be delivered<\/em><\/figcaption><\/figure>\n<p>In general, CallPhantom apps have a simple user interface and do not request any intrusive or sensitive permissions \u2013 they don\u2019t need to. Coincidentally, they do not contain any functionality capable of retrieving real call, SMS, or WhatsApp data.<\/p>\n<p>In the CallPhantom apps we analyzed, we saw three different payment methods used, the latter two of which are in violation of Google Play\u2019s <a href=\"https:\/\/support.google.com\/googleplay\/android-developer\/answer\/10281818?hl=en\" target=\"_blank\" rel=\"noopener\">payments policy<\/a>.<\/p>\n<p>First, some of the apps relied on subscriptions via Google Play\u2019s official billing system. This is required of apps offering in-app purchases, per Google Play\u2019s payments policy; such purchases are covered by Google\u2019s <a href=\"https:\/\/support.google.com\/googleplay\/answer\/15574897?hl=en\" target=\"_blank\" rel=\"noopener\">refund protection<\/a>.<\/p>\n<p>Second, some of the apps relied on payments via third-party apps that support UPI. For these third-party payment apps, CallPhantom apps either included hardcoded URLs or fetched the URLs dynamically from a Firebase realtime database, meaning the payment account could be changed at any time by the operator.<\/p>\n<p>Third, in some cases, payment card checkout forms were included directly in the CallPhantom apps.<\/p>\n<p>Examples of the payment methods can be seen in Figure\u00a09.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 9. Various payment options used by CallPhantom apps\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-9.jpg\" alt=\"Figure 9. Various payment options used by CallPhantom apps\" width=\"\" height=\"\"\/><figcaption><em>Figure 9. Various payment options used by CallPhantom apps<\/em><\/figcaption><\/figure>\n<p>In one case, we observed an additional tactic used to coax the user into paying: if the user exited the app without payment, the app displayed deceptive alerts styled as new emails claiming that the call history results had arrived \u2013 see Figure\u00a010. Clicking the notification led straight to a subscription screen.<\/p>\n<figure class=\"image\"><img decoding=\"async\" style=\"width: 60%; margin: 0 auto; display: block;\" title=\"Figure 10. Deceptive notification displayed by CallPhantom to persuade users to subscribe\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/callphantom\/figure-10.png\" alt=\"Figure 10. Deceptive notification displayed by CallPhantom to persuade users to subscribe\" width=\"\" height=\"\"\/><figcaption><em>Figure 10. Deceptive notification displayed by CallPhantom to persuade users to subscribe<\/em><\/figcaption><\/figure>\n<p>The fees requested for the fake service differ widely across the apps. The apps also appear to offer different subscription packages, such as weekly, monthly, or yearly services, with the highest requested price sitting at US$80. For the lowest \u201csubscription tier\u201d, the average requested price was \u20ac5.<\/p>\n<h2>What to do if you have been scammed<\/h2>\n<p>In general, subscriptions purchased through the official Google Play billing system can be canceled in the Play Store app by tapping your profile icon, navigating to Payments &amp; subscriptions \u2192 Subscriptions, selecting the active subscription, and tapping Cancel subscription. Google explains the full process on its <a href=\"https:\/\/support.google.com\/googleplay\/answer\/7018481\" target=\"_blank\" rel=\"noopener\">Cancel, pause, or change a subscription on Google Play<\/a> page.<\/p>\n<p>For the 28 apps described in this blogpost, existing subscriptions have been canceled when the apps were removed from Google Play.<\/p>\n<p>In some cases, refunds for Google Play purchases are possible. Google may issue a refund depending on the time since purchase, the type of item, and its refund policy. In general, requests must be made within the allowed refund window as described on Google\u2019s <a href=\"https:\/\/support.google.com\/googleplay\/answer\/15574897?hl=en\" target=\"_blank\" rel=\"noopener\">support page<\/a>.<\/p>\n<p>If the purchase was made outside Google Play \u2013 for example, by entering payment card details inside the app or by paying through third\u2011party services \u2013 then Google cannot cancel the subscription or issue a refund, and users have to contact the payment provider or the app developer directly.<\/p>\n<h2>Conclusion<\/h2>\n<p>We identified a new cluster of fraudulent Android apps on Google Play that collectively amassed over 7.3 million downloads before being taken down upon notification by ESET. These apps, which we collectively named CallPhantom, falsely promise to retrieve call logs, SMS records, and WhatsApp call history for any phone number, a technically impossible claim designed solely to exploit people\u2019s curiosity and mislead them into paying.<\/p>\n<p>Many of the apps circumvented Google Play\u2019s official billing system, pushing users toward third\u2011party payments or direct card entry, complicating refund efforts and exposing victims to financial risk.<\/p>\n<p>Our analysis revealed that the \u201cresults\u201d shown to victims are entirely fabricated, often using hardcoded Indian numbers, predefined names, and generated timestamps disguised as real communication data.<\/p>\n<p>Users who subscribed via official Google Play billing may be eligible for refunds under Google\u2019s refund policies. Purchases made via third\u2011party payment apps or through direct payment card entry cannot be refunded by Google, leaving users dependent on external payment providers or developers.<\/p>\n<blockquote>\n<div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\u00a0<\/em><\/div>\n<div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=fake-call-logs-real-payments-how-callphantom-tricks-android-users&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\">ESET Threat Intelligence<\/a> page.<\/em><\/div>\n<\/blockquote>\n<h2>Analyzed CallPhantom apps<a id=\"Analyzed CallPhantom apps\"\/><\/h2>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"187\"><strong>App name<\/strong><\/td>\n<td width=\"360\"><strong>Package name<\/strong><\/td>\n<td width=\"93\"><strong>Number of downloads<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"187\">Call history : any number deta<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">calldetaila.ndcallhisto.rytogetan.ynumber<\/span><\/td>\n<td width=\"93\">3M+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History of Any Number<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.pixelxinnovation.manager<\/span><\/td>\n<td width=\"93\">1M+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call Details of Any Number<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.app.call.detail.history<\/span><\/td>\n<td width=\"93\">1M+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Any Number Detail<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">sc.call.ofany.mobiledetail<\/span><\/td>\n<td width=\"93\">500K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Any Number Detail<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.cddhaduk.callerid.block.contact<\/span><\/td>\n<td width=\"93\">500K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Of Any Number<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.basehistory.historydownloading<\/span><\/td>\n<td width=\"93\">500K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History of Any Numbers<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.call.of.any.number<\/span><\/td>\n<td width=\"93\">100K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Of Any Number<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.rajni.callhistory<\/span><\/td>\n<td width=\"93\">100K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Any Number Detail<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.callhistory.calldetails.callerids.calle<wbr\/>rhistory.callhostoryanynumber.getcall.histo<wbr\/>ry.callhistorymanager<\/span><\/td>\n<td width=\"93\">100K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Any Number Detail<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.callinformative.instantcall<wbr\/>history.callhistorybluethem.callinfo<\/span><\/td>\n<td width=\"93\">100K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Any Number detail<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.call.detail.caller.history<\/span><\/td>\n<td width=\"93\">100K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Any Number Detail<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.anycallinformation.datadetailswho.calli<wbr\/>nfo.numberfinder<\/span><\/td>\n<td width=\"93\">100K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Any Number Detail<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.callhistory.callhistoryyourgf<\/span><\/td>\n<td width=\"93\">100K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Any Number<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.calldetails.smshistory.callhistoryofany<wbr\/>number<\/span><\/td>\n<td width=\"93\">50K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Any Number Detail<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.callhistory.anynumber.chapfvor.history<\/span><\/td>\n<td width=\"93\">50K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History of Any Number<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.callhistory.callhistoryany.call<\/span><\/td>\n<td width=\"93\">50K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Any Number Detail<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.name.factor<\/span><\/td>\n<td width=\"93\">50K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Of Any Number<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.getanynumberofcallhistory.callhistoryof<wbr\/>anynumber.findcalldetailsofanynumber<\/span><\/td>\n<td width=\"93\">50K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Of Any Number<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.chdev.callhistory<\/span><\/td>\n<td width=\"93\">10K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Phone Call History Tracker<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.phone.call.history.tracker<\/span><\/td>\n<td width=\"93\">10K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History- Any Number Deta<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.pdf.maker.pdfreader.pdfscanner<\/span><\/td>\n<td width=\"93\">10K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Of Any Number<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.any.numbers.calls.history<\/span><\/td>\n<td width=\"93\">10K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Any Number Detail<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.callapp.historyero<\/span><\/td>\n<td width=\"93\">1K+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History &#8211; Any Number Data<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">all.callhistory.detail<\/span><\/td>\n<td width=\"93\">500+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History For Any Number<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.easyranktools.callhistoryforanynumber<\/span><\/td>\n<td width=\"93\">100+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History of Numbers<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.sbpinfotech.findlocationofanynumber<\/span><\/td>\n<td width=\"93\">100+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History of Any Number<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">callhistoryeditor.callhistory.numberdetails<wbr\/>.calleridlocator<\/span><\/td>\n<td width=\"93\">50+<\/td>\n<\/tr>\n<tr>\n<td width=\"187\">Call History Pro<\/td>\n<td width=\"360\"><span style=\"font-family: courier new, courier, monospace;\">com.all_historydownload.anynumber.callhisto<wbr\/>rybackup<\/span><\/td>\n<td width=\"93\">50+<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>IoCs<\/h2>\n<p>A comprehensive list of indicators of compromise (IoCs) and samples can be found in <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/callphantom\" target=\"_blank\" rel=\"noopener\">our GitHub repository<\/a>.<\/p>\n<h3>Files<\/h3>\n<h3><span style=\"font-size: medium; font-weight: 400;\"><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"161\"><strong>SHA-1<\/strong><\/td>\n<td width=\"161\"><strong>Filename<\/strong><\/td>\n<td width=\"161\"><strong>Detection<\/strong><\/td>\n<td width=\"161\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">799BB5127CA54239D3D4<wbr\/>A14367DB3B712012CF14<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">all.callhistory.deta<wbr\/>il.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.K<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">56A4FD71D1E4BBA2C5C2<wbr\/>40BE0D794DCFF709D9EB<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">calldetaila.ndcallhi<wbr\/>sto.rytogetan.ynumbe<wbr\/>r.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.M<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">EC5E470753E76614CD28<wbr\/>ECF6A3591F08770B7215<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">callhistoryeditor.ca<wbr\/>llhistory.numberdeta<wbr\/>ils.calleridlocator.<wbr\/>apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.F<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">77C8B7BEC79E7D9AE0D0<wbr\/>C02DEC4E9AC510429AD8<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.all_historydownl<wbr\/>oad.anynumber.callhi<wbr\/>storybackup.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.G<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">9484EFD4C19969F57AFB<wbr\/>0C21E6E1A4249C209305<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.any.numbers.call<wbr\/>s.history.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.L<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">CE97CA7FEECDCAFC6B8E<wbr\/>9BD83A370DFA5C336C0A<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.anycallinformati<wbr\/>on.datadetailswho.ca<wbr\/>llinfo.numberfinder.<wbr\/>xapk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.B<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">FC3BA2EDAC0BB9801F85<wbr\/>35E36F0BCC49ADA5FA5A<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.app.call.detail.<wbr\/>history.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.N<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">B7B80FA34A41E3259E37<wbr\/>7C0D843643FF736803B8<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.basehistory.hist<wbr\/>orydownloading.xapk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.O<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">F0A8EBD7C4179636BE75<wbr\/>2ECCFC6BD9E4CD5C7F2C<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.call.detail.call<wbr\/>er.history.xapk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.C<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">D021E7A0CF45EECC7EE8<wbr\/>F57149138725DC77DC9A<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.call.of.any.numb<wbr\/>er.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.Q<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">04D2221967FFC4312AFD<wbr\/>C9B06A0B923BF3579E93<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.callapp.historye<wbr\/>ro.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.E<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">CB31ED027FADBFA3BFFD<wbr\/>BC8A84EE1A48A0B7C11D<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.calldetails.smsh<wbr\/>istory.callhistoryof<wbr\/>anynumber.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.Q<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">C840A85B5FBAF1ED3E0F<wbr\/>18A10A6520B337A94D4C<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.callhistory.anyn<wbr\/>umber.chapfvor.histo<wbr\/>ry.xapk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.J<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">BB6260CA856C37885BF9<wbr\/>E952CA3D7E95398DDABF<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.callhistory.call<wbr\/>details.callerids.ca<wbr\/>llerhistory.callhost<wbr\/>oryanynumber.getcall<wbr\/>.history.callhistory<wbr\/>manager.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.S<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">55D46813047E98879901<wbr\/>FD2416A23ACF8D8828F5<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.callhistory.call<wbr\/>historyany.call.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.T<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">E23D3905443CDBF4F1B9<wbr\/>CA84A6FF250B6D89E093<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.callhistory.call<wbr\/>historyyourgf.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.D<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">89ECEC01CCB15FCDD2F6<wbr\/>4E07D0E876A9E79DD3CE<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.callinformative.<wbr\/>instantcallhistory.c<wbr\/>allhistorybluethem.c<wbr\/>allinfo.xapk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.B<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">8EC557302145B40FE089<wbr\/>8105752FFF5E357D7AC9<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.cddhaduk.calleri<wbr\/>d.block.contact.xapk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.U<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">6F72FF58A67EF7AAA79C<wbr\/>E2342012326C7B46429D<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.easyranktools.ca<wbr\/>llhistoryforanynumbe<wbr\/>r.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.H<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">28D3F36BD43D48F02C50<wbr\/>58EDD1509E4488112154<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.getanynumberofca<wbr\/>llhistory.callhistor<wbr\/>yofanynumber.findcal<wbr\/>ldetailsofanynumber.<wbr\/>xapk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.D<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">47CEE9DED41B953A84FC<wbr\/>9F6ED556EC3AF5BD9345<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.chdev.callhistor<wbr\/>y.xapk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.V<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">9199A376B433F888AFE9<wbr\/>62C9BBD991622E8D39F9<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.name.factor.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.P<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">053A6A723FA2BFDA8A1B<wbr\/>113E8A98DD04C6EEF72A<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.pdf.maker.pdfrea<wbr\/>der.pdfscanner.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.W<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">4B537A7152179BBA19D6<wbr\/>3C9EF287F1AC366AB5CB<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.phone.call.histo<wbr\/>ry.tracker.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.I<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">87F6B2DB155192692BAD<wbr\/>1F26F6AEBB04DBF23AAD<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.pixelxinnovation<wbr\/>.manager.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.X<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">583D0E7113795C7D6868<wbr\/>6D37CE7A41535CF56960<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.rajni.callhistor<wbr\/>y.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.Y<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">45D04E06D8B329A01E68<wbr\/>0539D798DD3AE68904DA<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">com.sbpinfotech.find<wbr\/>locationofanynumber.<wbr\/>xapk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.A<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<tr>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">34393950A950F5651F3F<wbr\/>7811B815B5A21F84A84B<\/span><\/td>\n<td width=\"161\"><span style=\"font-family: courier new, courier, monospace;\">sc.call.ofany.mobile<wbr\/>detail.apk<\/span><\/td>\n<td width=\"161\">Android\/CallPhantom.Z<\/td>\n<td width=\"161\">Android CallPhantom.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/h3>\n<h3>Network<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"167\"><strong>IP<\/strong><\/td>\n<td width=\"227\"><strong>Domain<\/strong><\/td>\n<td width=\"129\"><strong>Hosting provider<\/strong><\/td>\n<td width=\"107\"><strong>First seen<\/strong><\/td>\n<td width=\"107\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"167\"><span style=\"font-family: courier new, courier, monospace;\">34.120.160[.]131<\/span><\/td>\n<td width=\"227\">\n<p><span style=\"font-family: courier new, courier, monospace;\">call-history-7cda4-defau<wbr\/>lt-rtdb.firebaseio[.]com<\/span><\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">call-history-ecc1e-defau<wbr\/>lt-rtdb.firebaseio[.]com<\/span><\/p>\n<\/td>\n<td width=\"129\">Google LLC<\/td>\n<td width=\"107\">2025\u201105\u201114<\/td>\n<td width=\"107\">CallPhantom C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"167\"><span style=\"font-family: courier new, courier, monospace;\">34.120.206[.]254<\/span><\/td>\n<td width=\"227\">\n<p><span style=\"font-family: courier new, courier, monospace;\">ch-ap-4-default-rtdb.fir<wbr\/>ebaseio[.]com<\/span><\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">chh1-ac0a3-default-rtdb.<wbr\/>firebaseio[.]com<\/span><\/p>\n<p>\u00a0<\/p>\n<\/td>\n<td width=\"129\">Google LLC<\/td>\n<td width=\"107\">2025\u201104\u201117<\/td>\n<td width=\"107\">CallPhantom C&amp;C server.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 18<\/a> of the MITRE ATT&amp;CK framework.<\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"113\"><strong>Tactic<\/strong><\/td>\n<td width=\"113\"><strong>ID<\/strong><\/td>\n<td width=\"151\"><strong>Name<\/strong><\/td>\n<td width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"113\"><strong>Command and Control<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1437\/001\">T1437.001<\/a><\/td>\n<td width=\"151\">Application Layer Protocol: Web Protocols<\/td>\n<td width=\"265\">CallPhantom uses Firebase Cloud Messaging for C&amp;C communication.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Impact<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1643\">T1643<\/a><\/td>\n<td width=\"151\">Generate Traffic from Victim<\/td>\n<td width=\"265\">CallPhantom tries to achieve fraudulent billing.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=fake-call-logs-real-payments-how-callphantom-tricks-android-users&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>There\u2019s an app for everything nowadays\u2026 right? Well, looking up call records for a phone number of choice<\/p>\n","protected":false},"author":1,"featured_media":328,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-327","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/327","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/comments?post=327"}],"version-history":[{"count":0,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/327\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media\/328"}],"wp:attachment":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media?parent=327"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/categories?post=327"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/tags?post=327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}