28 fraudulent applications under the collective codename CallPhantom managed to gain more than 7.3 million installs in Google Play, promising access to call and message histories for “any number” but in reality subscribing users to paid services using fake data. In parallel, in Indonesia the GoldFactory group used fake tax and banking services, malicious APKs, and social engineering to steal about USD 2 million from users, making the combination of “official brands + mobile payments” a key risk vector for individuals and companies in the Asia-Pacific region.

Technical details: two different but related schemes

CallPhantom: large-scale subscription scam in Google Play

According to research by ESET, the name CallPhantom conceals a set of 28 Android applications published in the official Google Play store and primarily targeting users in India and APAC countries. Key parameters of the scheme:

• Total installs: more than 7.3 million, with a single app exceeding 3 million downloads.
• Promised functionality: viewing call logs, SMS, and even WhatsApp calls for “any number.”
• Actual implementation: the apps contain no code at all to access call logs, SMS, or WhatsApp; the call and subscriber data are pre‑embedded fake records generated at random.
• Permissions: the apps do not request sensitive permissions and have an extremely simple interface, which reduces suspicion from both users and automated checks.

Individual apps were published under aliases designed to inspire trust, including a developer name like “Indian gov.in,” meant to evoke associations with Indian government agencies.

Monetization mechanics:

• The user enters the phone number of interest (sometimes also an email address “to deliver the report”).
• No data are shown at all before payment.
• To “unlock” the data, the user is prompted to purchase a paid subscription or make a one‑time payment.
• After payment the user receives not real information, but generated pseudo‑logs embedded in the app’s source code.

Three main payment channels were used:

• Official Google Play billing — formally legitimate, but used for a fraudulent service.
• Third‑party UPI (Unified Payments Interface) apps, including Google Pay, PhonePe, and Paytm — this approach violates Google Play rules.
• In‑app bank card input forms — also a violation of Google’s policy.

The cost of “subscriptions” ranged from roughly USD 6 to USD 80. According to ESET, users who subscribed via official Google Play billing may be eligible for refunds under current Google Play refund policies. However, payments made through UPI and direct card entry cannot be reimbursed by Google — users are left to deal one‑on‑one with banks and payment providers.

In some cases, additional pressure tactics were used:

• If a user closes the app without paying for a subscription, they see a notification stating that “the call history for number X has been sent to your email.”
• Following the notification link takes them not to a “report,” but back to the subscription purchase screen.

Based on reviews and discussions in open sources, CallPhantom activity can be traced at least as far back as November 2025. At the time of ESET’s publication, all identified apps had been removed from Google Play.

GoldFactory: fraud via fake tax service and mobile trojans

Security company Group-IB has recorded a conceptually similar but technically more complex campaign in Indonesia, associated with the financially motivated GoldFactory cluster. According to researchers’ estimates, the attackers stole about USD 2 million from Indonesian users by impersonating the national tax platform CoreTax and other trusted brands. Details are presented in Group-IB’s report on the GoldFactory campaign.

Key elements of the attack chain:

• Phishing websites imitating CoreTax and more than 16 other popular services.
• Social engineering via WhatsApp — sending links and instructions on behalf of the “tax office” or a “bank.”
• Side‑loading of malicious APKs instead of installing apps from Google Play.
• Voice phishing (vishing) to persuade the victim to complete installation and grant the required permissions.

After installation, an Android malware payload is delivered to the device, including families such as Gigabud RAT, MMRat, and Taotie. These programs enable attackers to:

• Collect sensitive data from the device.
• Download additional components on command from the operator.
• Use stolen data to hijack accounts and perform unauthorized financial transactions.

From a MITRE ATT&CK perspective, significant techniques in this campaign include, in particular, T1566 Phishing (including messaging channels and voice phishing) and technique chains related to the installation of malicious mobile applications.

Threat context: from “spy” promises to full device takeover

CallPhantom and GoldFactory illustrate two stages in the evolution of mobile fraud:

• In the case of CallPhantom, the attackers exploit users’ desire to gain illegitimate access to other people’s data. By promising “spy” functionality (reading other people’s call and message logs), they are essentially selling thin air while not actually installing trojans on devices or requesting dangerous permissions.
• In the case of GoldFactory, what is exploited is not only trust in brands, but also technical illiteracy when installing APKs outside the official store, which results in full remote control of the device and subsequent theft of funds.

What both schemes have in common is deep reliance on user trust in:

• official distribution channels (Google Play, WhatsApp as a familiar communication channel);
• well‑known brands (government services, payment apps);
• formally legitimate monetization tools (official Google Play billing, UPI).

The fact that more than 7 million users installed apps promising functionality that is clearly dubious from a legal standpoint (viewing someone else’s call logs) highlights a serious problem: a significant portion of the audience is willing to deliberately violate others’ privacy in exchange for convenience, and fraudsters are ready to exploit this.

Impact assessment

Those at highest risk:

• individual Android users in India and APAC countries (CallPhantom) and in Indonesia (GoldFactory);
• organizations with BYOD policies where employees’ personal devices are used to access corporate email, messengers, and banking apps;
• banks and fintech services, which ultimately bear the burden of investigations and potential reimbursements for fraudulent transactions.

Consequences if no action is taken:

• Direct financial losses from uncontrolled subscriptions and transfers.
• Loss of control over accounts (email, messengers, online banking) and subsequent attack chains (changing payment details, extorting money from contacts).
• Risk of regulatory claims against organizations if compromised personal devices of employees were used to handle confidential data.

An additional risk for banks and payment services is reputational: misuse of their brands and apps (for example, UPI wallets) in fraudulent schemes undermines trust in digital channels as a whole.

Practical recommendations

For individual users

• Remove from your device all apps from the CallPhantom list, if installed (by names and package IDs provided by ESET in its CallPhantom research).
• Check the Subscriptions section in Google Play and cancel any unclear paid subscriptions; if needed, request a refund under official Google refund rules.
• Review bank card statements and UPI app transactions for small recurring charges to unknown recipients; if discovered, immediately block the card and file a claim with the bank.
• Do not install APKs from files and links sent via WhatsApp or other messengers, especially if the sender claims to be a “tax office,” “bank,” or other government body; official services direct users to Google Play or to verified domains.
• Ignore any offers to “view someone else’s call/SMS history” as inherently illegal and high‑risk.

For companies and financial institutions

• Mobile security policy. For corporate and BYOD devices, implement app inventory and control via MDM/EMM tools: deny access to corporate resources from devices where uncertified apps with such functionality are detected (viewing others’ calls, “unlimited monitoring,” etc.).
• Staff training. Include the CallPhantom and GoldFactory cases in security awareness training as examples of:
  • abuse of trust in Google Play and government services;
  • risks of installing APKs from messengers;
  • dangers of promises to “gain access to someone else’s data.”
• Fraud monitoring. Banks and fintech companies should account for GoldFactory‑style scenarios when tuning anti‑fraud systems: anomalous transactions from new or recently “reinstalled” devices, atypical customer behavior following recent installation of an APK obtained via a link.
• Customer communication. Publish clear guidance stating that:
  • the organization does not distribute APKs via WhatsApp;
  • all official apps are published only in vetted app stores;
  • tax and banking notifications do not require installing software from a file.
• Incident response. When detecting cases similar to those described in Group-IB’s report on GoldFactory, ensure that the investigation includes a mobile component: analysis of installed apps, granted permissions, and network activity.

The key takeaway for users and organizations in the Asia-Pacific region is the urgent need to reconsider reliance on “official” channels as a sufficient security criterion and to implement concrete practices — from regularly checking subscriptions and statements to strictly controlling app installation sources and rejecting any software that promises access to third‑party data.