Fraudulent stalking apps have garnered millions of downloads, reflecting on both Google’s security measures and our own choices.

      No application exists that allows you to view another person's call history. There has never been one, and it is very unlikely that there will be — carriers do not share that information, and no third-party developer has the necessary access to obtain it. This is not a grey area; it is simply impossible. However, according to WeLiveSecurity, 7.3 million individuals have downloaded apps that falsely claimed to provide such information.

      Security researchers at ESET have spent several months unraveling a large network of 28 deceptive Android apps they collectively named CallPhantom. These apps purported to give users insight into another person's phone activity, including call logs, SMS messages, and even WhatsApp conversations. Users could enter a number, pay a small fee, and supposedly gain access to secrets about the individual they were investigating. In reality, the app produced fictional data — random phone numbers paired with hardcoded names and timestamps, all generated by the app to appear convincingly real. Users only encountered this counterfeit data after making their payment, a sequence that was not coincidental.

      The Google Play Store had a significant oversight in this situation.

      All 28 apps remained on the Google Play Store long enough to gather millions of downloads. One was published under the name “Indian gov.in,” a developer name suggesting government credibility it did not possess. Numerous user reviews explicitly stated they had been scammed, and these warnings coexisted with clusters of suspiciously enthusiastic five-star ratings that helped maintain a respectable overall score.

      ESET alerted Google to the entire set in December 2025, and the apps were subsequently removed. However, this action stemmed from an external report rather than Google identifying the issue independently. For a platform that has heavily invested in automated threat detection and the App Defense Alliance framework, allowing 28 variants of the same scam — each promising the same technically impossible feature — to achieve millions of downloads is a significant oversight.

      Some apps exacerbated the situation by circumventing Google’s payment system altogether, directing users to third-party UPI transactions or direct card entry fields within the app. This violates Play Store policy and also means Google cannot issue refunds to those users. Anyone who paid outside the official billing system must seek reimbursement from the payment provider or the developers, who are not likely to be helpful.

      The appeal of these apps was undeniable.

      The more unsettling aspect of this situation is what led to the initial 7.3 million downloads. These apps didn’t provide cloud storage or new photo editing features. They offered something that many people desired enough to pay for: the ability to spy on someone — be it a partner, an ex, a teenager, or a business contact. Regardless of the reason, it was evident that there was a significant and eager audience for this concept.

      The apps capitalized on that impulse with ruthless efficiency. They preselected India’s +91 country code by default and enabled UPI payments, indicating that the scammers understood their target demographic well. Subscription prices ranged from a few euros per week to $80 annually, presenting users with options that felt like a legitimate service tailored to different needs. One app even sent a deceptive push notification when users attempted to exit without paying, styled to resemble an email alerting them to their results — a last-minute nudge directing them back to the payment page.

      It was successful because curiosity is a potent motivator, and the apps were created by individuals who recognized that. When stripped of all the technical details, the core of the scheme is quite old: charge someone for something they desperately desire, provide them with a seemingly credible nothing, and rely on their embarrassment to prevent them from complaining too loudly.

      For anyone affected by this, subscriptions processed through Google Play’s official system can be canceled — and possibly refunded — through the payment settings in the Play Store. For all other cases, it becomes a difficult conversation with the payment processor.