The promise of being able to access a complete call history, including SMS and WhatsApp, for any given phone number proved just too tempting for millions of visitors to Google Play. A fraud campaign known as CallPhantom, which spread across a total of 28 Android apps, had a staggering 7.3 million downloads before Google eventually removed them from the Play Store.
CallPhantom Attackers Invaded Google Play Store To Scam Millions Of Users
Google has been very busy of late dealing with security problems. First, there was the small matter of some 127 security vulnerabilities uncovered in the Chrome web browser and patched in the 148.0.7778.96/97 update. And now, it has been confirmed that 28 Android apps have been removed from the Google Play Store following an investigation by researchers at ESET that revealed they were part of a fraudulent campaign called CallPhantom.
Unlike other malicious Android campaigns involving malware-infected apps hitting Google Play, such as NoVoice which included 50 apps and totaled 2.3 million downloads before removal, CallPhantom did not rely upon malware. Instead, it leveraged the exploitation of human curiosity and an ugly urge to spy on the lives of others, combined with app-subscription fraud.
The bait was an app, or 28, that promised to provide the ability to somehow view the call logs and SMS/WhatsApp history for any given phone number. “To unlock this supposed feature, users are asked to pay,” ESET malware researcher
Lukas Stefanko, confirmed, “but all they get in return is randomly generated data.”
That data consisted of random phone numbers and matches with names, call times and call durations. All of which were actually embedded into the app code rather than being returned after any specific query. Which, as anyone who actually gives it any thought would know, is simply not possible without the searched for number being that of a device that had been compromised by advanced spyware. Curiosity killed the cat, as they say, but in this case it appears to have killed common sense for more than 7 million people.
It is not known how many of these have actually been defrauded of money, but there were three transactional methods used, according to the ESET report:
- Subscriptions via Google Play’s official billing system which are covered by Google’s refund protection.
- Payments via third-party apps.
- Payment card checkout forms included directly in the CallPhantom apps.
The full list of affected apps can be found in the ESET report. If you have downloaded any of these deleted apps, subscriptions will have been canceled when the app was removed from the Google Play Store. It might also be possible to get a refund for any purchases under Google’s Play Store refund policy.
