Fraudulent "CallPhantom" Apps on Google Play Scammed Millions with Fake Call History Data A sophisticated fraud campaign involving 28 malicious Android apps collectively dubbed CallPhantom deceived over 7.3 million users before being removed from Google Play in December 2025. Discovered by researchers at WeLiveSecurity, the apps lured victims with the false promise of revealing call histories for any phone number, only to deliver fabricated data and extract payments through deceptive subscription models. The scam exploited users' curiosity by displaying partial, hardcoded call logs complete with fake names, timestamps, and phone numbers to create the illusion of functionality. Victims were then prompted to pay for full access, with subscription fees ranging from weekly to yearly plans costing up to $80. Two primary variants were identified: one that generated pre-loaded fake data directly in the app, and another that falsely claimed to email results after payment, delivering nothing in return. Targeting primarily Android users in India and the Asia-Pacific region, the apps were optimized for local payment methods, including UPI (Unified Payments Interface) and direct card transactions. Some even embedded payment forms within the app, violating Google Play’s policies and complicating refunds. Operators further evaded detection by dynamically fetching payment details from Firebase real-time databases, allowing them to switch receiving accounts at will. While Google canceled subscriptions tied to its official billing system, users who paid via third-party UPI apps or in-app card forms had no recourse through Google. The apps also employed deceptive tactics, such as fake email notifications leading to subscription screens, to pressure users into paying. All 28 apps lacked any real capability to access call logs, SMS records, or messaging data. Their removal followed ESET’s disclosure, though indicators of compromise including SHA-1 hashes, Firebase-hosted command-and-control domains, and associated IP addresses remain documented for threat intelligence purposes.

Google Play was infiltrated by the SpyLend Android malware, affecting 100,000 users, predominantly in India. This malicious app, disguised as 'Finance Simplified,' deceived users by offering easy loans while harvesting excessive permissions. The malware not only stole personal data such as contacts, call logs, photos, and location but also enabled operators to blackmail users through the creation of phony nudes. It represents a significant privacy breach and reveals the platform's vulnerability to hosting apps that facilitate financial crimes and psychological manipulation.

Google Play was found to host 15 SpyLoan Android apps, accumulating over 8 million installs, targeting users primarily in South America, Southeast Asia, and Africa. These apps, mimicking legitimate financial service providers, tricked users into providing sensitive data under the guise of offering quick and easy loans. Users were lured through social media ads and deceptive marketing into downloading the apps, which then requested extensive permissions leading to excessive data access. Malicious actors exploited this information for extortion and harassment, causing significant financial loss and personal distress for the affected individuals. Resultant actions from these breaches include threats, misuse of personal data, and intensive spamming of victims' contacts.

Over 11 million Android devices were infected by the new variant of the Necro Trojan malware, which was distributed through fake versions of popular apps and games on the Google Play store and unofficial app sources. The malware employed obfuscation and steganography to evade detection, executing malicious actions such as displaying invisible ads, downloading/executing files, and creating unauthorized subscriptions to paid services. The widespread impact of the infection emphasizes the malware's adaptability and potential for financial and reputational damage to affected users.

Over 32,000 downloads of Mandrake spyware-laced apps from Google Play have led to a significant cyber security incident. The sophisticated Mandrake Android spyware, discovered by Kaspersky, employs advanced evasion techniques and obfuscation, allowing attackers to take complete control over infected devices and exfiltrate sensitive user data without detection. Despite being present on the platform since 2022, the spyware remained undetected for over two years, with the most downloaded app, AirFS, garnering over 30,000 downloads alone. The impact of this security lapse has raised concerns within the cybersecurity community about the efficacy of current app marketplace security measures.

XcodeGhost malware had made its way to the official Google Play app store lending trojans and adware to the consumer's mobile. The malicious Brain Test app avoided the detection by Bouncer – Google’s technology which is supposed to stop malicious apps from entering the store was downloaded between 200,000 and 1 million times. There are various bogus versions of popular games such as “Plants vs Zombies 2”, “Traffic Race” and “Temple Run 2 Zoombie” that can make it possible for criminals to slip their malware past such checks.