Tech

Fake tracking apps have garnered millions of downloads. It says a lot about the security of Google and us

Photo of Mosegas Mosegas Send an email 5 hours ago
0 0 3 minutes read
Fake tracking apps have garnered millions of downloads. It says a lot about the security of Google and us

There is no app that allows you to extract someone else’s call history. There never has been, and probably never will be – the carriers don’t reveal that data, and no third-party developer has the necessary access to retrieve it. This is not a gray area; it just doesn’t happen. However, 7.3 million people, according to livesecurity have downloaded apps that claim to do just that.

Security researchers at ESET spent months solving a sprawling family of 28 fake Android apps they collectively call CallPhantom – apps that promise users a window into anyone’s phone activity: call logs, SMS logs, and even WhatsApp history. Enter a number, pay a small fee, and the secrets of anyone you’ve been looking up to would be assumed to be out. What really came out was fiction – random phone numbers dressed up with hard-coded names and time stamps, generated by the app itself, designed to look convincing enough to appear real. The advantage is that users only see this fake data after they have paid. That sequence didn’t happen by accident.

Google Play Store had a big blind spot here

All 28 apps have been in the Google Play Store long enough to accumulate millions of downloads. One of them was published under the name “Indian gov.in,” an engineer’s handle describing the legitimacy of the government he had no right to claim. Several had review sections full of users clearly writing that they had been scammed, and those warnings were mixed with clusters of suspiciously enthusiastic five-star reviews that kept the ratings looking respectable.

LiveSecurity

ESET flagged the full set on Google in December 2025, and the apps were removed. But the removal came from an outside report, not from Google holding anything back. For a platform heavily invested in automated threat detection and the App Defense Alliance framework, allowing 28 variants of the same scam – all promising the same technically impossible feature – to accumulate millions of downloads is a critical gap.

Some apps have made things worse by bypassing Google’s payment infrastructure entirely, directing users to third-party UPI functions or manipulating card input fields embedded in the app. That’s a violation of Google Play Store policy, but it also means that Google can’t refund those users. Anyone who has paid outside of the official payment system has to chase the payment provider themselves, or the developers, who are not particularly motivated to help.

The applications worked because the pitch was unstoppable

The most uncomfortable part of this story is what drove the 7.3 million downloads in the first place. These apps didn’t offer cloud storage or a new way to organize photos. They offered something that people wanted badly enough to pay for: the ability to check on someone – a colleague, an ex, a teenager, or a business contact. Whatever the reason, it was clear that there was a large audience for this idea.

Apps depend on that desire with ruthless precision. They pre-selected India’s +91 country code by default and supported UPI payments, indicating that the fraudsters had a good understanding of the type of people they were targeting. Subscription tiers ranged from a few euros a week to $80 a year, offering users options that felt like a legitimate service and catered to different needs. One app, when a user tried to log out without paying, sent a fake notification written to look like an email had just arrived with results — a final nudge that led directly back to the paywall.

File, Text
LiveSecurity

It worked because curiosity is a powerful thing, and apps were designed by people who understood that. Take out the technical scaffolding and what you have is a very old scam: charge someone for something they want, don’t give them anything tangible, and rely on embarrassment to keep them from complaining too much.

For anyone involved in this, subscriptions processed through the official Google Play system can be canceled – and possibly refunded – through the Google Play Store payment settings. Everything else is a difficult conversation with whoever processed the payment.

Photo of Mosegas Mosegas Send an email 5 hours ago
0 0 3 minutes read
Photo of Mosegas

Mosegas

Related Articles

Fake OpenAI repository on Hugging Face pushes infostealer malware

Fake OpenAI repository on Hugging Face pushes infostealer malware

5 hours ago
Review of Mortal Kombat II: More Than Just Camp

Review of Mortal Kombat II: More Than Just Camp

6 hours ago
Intruder launches AI intrusion agents as GCHQ-backed startup automates K manual security tests

Intruder launches AI intrusion agents as GCHQ-backed startup automates $50K manual security tests

8 hours ago
Best Live Talking Smart Glasses (2026), FOR USER reviewed

Best Live Talking Smart Glasses (2026), FOR USER reviewed

8 hours ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by