"CallPhantom": Fraudulent Android apps scam the curious

IT researchers from Eset have uncovered a malware campaign called “CallPhantom,” in which the masterminds behind the Android apps promise to provide call history for any number. Millions of users actually paid for this, only to receive fabricated data in the end.

In a post, the malware analysts write that the apps claim to be able to access and make available SMS histories and even WhatsApp call logs for any phone number. However, interested parties had to pay or subscribe for this. According to Eset, several million users of 28 such apps did just that. They were available for download on the Google Play Store, where they were downloaded and installed a total of around 7.3 million times. After being informed by the antivirus company, Google has now removed the apps.

The trigger was an app called “Call History of Any Number,” which had also published a list of alleged call history in its app store screenshots. These were also faked. An analysis by malware analysts revealed that the app generates random phone numbers, assigns them fixed names, times, and call durations from its source code. A payment was necessary to view the data.

28 fraudulent apps

In mid-December last year, Eset reported the 28 apps with similar behavior to Google; all have since been removed from the Play Store. The individual apps differ significantly in appearance. They all specifically targeted users in India and other regions in the Asia-Pacific. The country code +91 for India was often preset in the apps. In addition to Google Store payment methods, they also support UPI, which is commonly used in India.

The reviews showed user complaints that it was a scam, for example. Users had paid but received no real data. Eset researchers estimate that the prospect of secretly gaining insight into other people's private communication data was tempting enough for some to install the apps anyway. Some positive reviews, which also gave IT researchers a false impression, may have contributed to this.

Users could purchase regular in-app subscriptions through the Google billing system; money transferred through this channel may be recoverable. Other payment methods using UPI or directly integrated credit card forms violate Google's policies, and money paid through them is likely lost in any case. Some apps were quite aggressive with their advertising. If users closed them without paying, notifications appeared on the smartphone in the style of newly arrived emails. However, clicking on them did not take interested parties to available data but to the subscription screen of the fraudulent app.

Eset researchers also provide a list of the 28 apps found and their hashes. The most popular was “Call history: any number deta” (calldetaila.ndcallhisto.rytogetan.ynumber) with over 3 million downloads, followed by Call History of Any Number (com.pixelxinnovation.manager) and Call Details of Any Number (com.app.call.detail.history), each with over a million downloads. Interested parties can use the list to check if they have installed the malware and then uninstall it.

Malware in smartphone app stores is not uncommon. Last August, for example, Zscaler's ThreatLabz found 77 malware apps with 19 million installations that delivered the Anatsa malware to phones. However, the “CallPhantom” campaign found now apparently contained no malware function; instead, the perpetrators simply exploited the victims' intrusive curiosity to trick them into making payments.

(dmk)