ESET researchers have published analysis of a large-scale Android application fraud campaign they track as CodedCallPhantom, involving 28 fraudulent applications on the Google Play Store that collectively accumulated 7.3 million downloads before removal. The applications were marketed as tools for accessing remote call logs, SMS history, and WhatsApp message records — presented as parental monitoring, spouse tracking, or employee monitoring utilities.
The fraud mechanism is straightforward: the apps charge users subscription fees (typically $4.99–$19.99 per month) for access to call and message history records that the apps cannot actually retrieve. After payment, users are shown fabricated “data” — algorithmically generated fake call logs, SMS messages, and contact lists — while the app collects the requesting user’s own device information for sale to data brokers.
Campaign Structure
App categories: The 28 apps span three distinct user segments:
- Parental control apps (largest category — “Monitor Your Child’s Calls”)
- Partner/spouse monitoring apps (“Track Your Partner’s WhatsApp — Discreetly”)
- Employee device monitoring apps (“Corporate Device Call Logger”)
All three segments exploit users who want to monitor someone else’s device — and who, in attempting to do so, are unlikely to discuss their use of the app with the target, making the fraud harder to discover.
The largest single app in the campaign accumulated over 3 million downloads, making it one of the highest-download individual fake app frauds identified by ESET. The apps maintained ratings between 3.8 and 4.2 stars through a combination of purchased positive reviews and suppression of negative reviews via the developer response system.
Geographic targeting: India accounted for approximately 41% of downloads, followed by Indonesia (12%), Bangladesh (8%), and other South-East Asian markets. The demographic focus reflects both market size and relatively lower consumer protection enforcement in these jurisdictions compared to EU and US markets.
Data Collection Beyond the Fraud
Beyond the direct financial fraud, the apps collected substantive personal data from users:
- Device identifiers (IMEI, Android ID, advertising ID)
- Contact list
- SMS metadata (sender/recipient numbers, timestamps — not content)
- Location data
- Installed application list
This data was transmitted to data broker infrastructure alongside the user’s subscription payment information. The combination of identity data, device identifiers, and payment information creates a profile valuable for follow-on phishing, SIM swap targeting, and payment fraud.
Google Play Store Response
Google has removed all 28 identified applications and banned the associated developer accounts. The developer accounts used a pattern of creating new developer identities when previous accounts were removed — a technique that circumvents Google’s simple account-level banning.
Google’s Play Protect service has been updated to detect and flag the CodedCallPhantom family. Users who have installed any of the 28 identified apps should:
- Immediately cancel any subscriptions via the Google Play subscription management interface (
play.google.com/store/account/subscriptions) - Contact their payment card provider to dispute charges if the subscription was active
- Uninstall the app and run a Play Protect scan
- Review what permissions the app held and consider the personal data shared with it
A full list of the 28 app package names and Play Store identifiers is available in ESET’s full research publication.
Enterprise Context
For enterprise mobile device management programmes: the CallPhantom campaign affects personal Android devices more than managed corporate devices (which typically restrict non-MDM-approved apps). However, BYOD programmes where personal devices access corporate email and data create indirect risk — a compromised personal device’s contact list may include corporate contacts whose data is now held by fraudulent data brokers.
Share this article