There isn’t a app that allows you to pull up another person’s name historical past. There by no means has been, and there nearly actually by no means shall be — carriers don’t expose that information, and no third-party developer has the entry required to retrieve it. This isn’t a gray space; it’s merely not doable. And but, 7.3 million folks, based on welivesecurity have downloaded apps that claimed to do precisely that.
Safety researchers at ESET spent months untangling a sprawling household of 28 fraudulent Android apps they collectively dubbed CallPhantom — apps that promised customers a window into anybody’s telephone exercise: name logs, SMS information, even WhatsApp historical past. Enter a quantity, pay a small charge, and the secrets and techniques of whoever you had been trying up would supposedly come spilling out. What really got here out was fiction — random telephone numbers dressed up with hardcoded names and timestamps, generated by the app itself, designed to look simply convincing sufficient to appear actual. The payoff is that customers solely noticed this pretend information after they’d already paid. That sequencing wasn’t unintentional.
Google Play Retailer had a critical blind spot right here
All 28 apps sat on the Google Play Retailer lengthy sufficient to build up thousands and thousands of downloads. Certainly one of them was revealed below the identify “Indian gov.in,” a developer deal with implying authorities legitimacy it had no proper to assert. A number of had evaluation sections filled with customers explicitly writing that they’d been scammed, and people warnings coexisted with clusters of suspiciously enthusiastic five-star evaluations that stored the rankings trying respectable.
WeLiveSecurity
ESET flagged the total set to Google in December 2025, and the apps had been eliminated. However the removing got here from an exterior report, not from Google catching one thing itself. For a platform that has invested closely in automated risk detection and the App Protection Alliance framework, letting 28 variants of the identical rip-off — all promising the identical technically unimaginable characteristic — accumulate thousands and thousands of downloads is a major hole.
Some apps made issues worse by bypassing Google’s fee infrastructure completely, routing customers to third-party UPI transactions or to direct card entry fields embedded within the app. That’s a violation of Play Retailer coverage, but it surely additionally means Google can’t situation refunds to these customers. Anybody who paid exterior the official billing system has to chase down the fee supplier themselves, or the builders, who, it goes with out saying, usually are not significantly motivated to assist.
The apps labored as a result of the pitch was irresistible
The extra uncomfortable a part of this story is what drove 7.3 million downloads within the first place. These apps didn’t supply cloud storage or a brand new solution to edit pictures. They provided one thing folks really wished badly sufficient to pay for: the power to spy on somebody — a associate, an ex, a youngster, or a enterprise contact. Regardless of the motive, there was clearly a big and prepared viewers for the concept.
The apps leaned into that want with ruthless precision. They preselected India’s +91 nation code by default and supported UPI funds, which indicators that the scammers understood their goal demographic effectively. Subscription tiers ranged from a couple of euros per week to $80 a 12 months, giving customers choices that felt like a respectable service and catered to completely different wants. One app, when a person tried to exit with out paying, despatched a pretend push notification styled to seem like an e mail had simply arrived with the outcomes — a last-ditch nudge that led straight again to the paywall.
WeLiveSecurity
It labored as a result of curiosity is a robust factor, and the apps had been designed by individuals who understood that. Strip away the technical scaffolding and what you’ve is a really outdated rip-off: cost somebody for one thing they desperately need, give them a plausible-looking nothing, and depend on embarrassment to maintain them from complaining too loudly.
For anybody caught up on this, subscriptions processed by means of Google Play’s official system may be canceled — and probably refunded — by means of the Play Retailer’s fee settings. The whole lot else is a more durable dialog with whoever processed the fee.
