Google Play Scam Apps (CallPhantom) Distributed to 7.3 M Users via Fake Call‑Log Apps
What Happened — ESET identified 28 malicious “CallPhantom” applications on Google Play that claimed to generate fake call‑log histories. The apps collectively amassed more than 7.3 million downloads before Google removed them from the store.
Why It Matters for TPRM —
- Malicious apps on a reputable marketplace can bypass traditional vendor‑risk questionnaires that focus on “official” sources.
- High download volume indicates a broad attack surface, potentially exposing employee‑owned devices in BYOD programs.
- Removal does not guarantee that copies remain in the wild; compromised devices may already have been infected.
Who Is Affected — Consumer mobile users, enterprises with Android BYOD policies, mobile‑device‑management (MDM) providers, and any third‑party that relies on Google Play as a trusted app distribution channel.
Recommended Actions —
- Update vendor risk assessments to include app‑store vetting and continuous monitoring.
- Enforce application‑whitelisting or use MDM solutions to block installation of unapproved apps.
- Conduct user‑awareness training on the risks of downloading “utility” apps that request sensitive permissions.
- Monitor for residual copies of the CallPhantom binaries on internal devices and remove them promptly.
Technical Notes — The threat leveraged the official Google Play distribution channel (a supply‑chain vector) to deliver Android packages that requested access to call‑log and contacts permissions, potentially exfiltrating metadata. No known CVE was involved; the abuse stemmed from inadequate app‑store policing. Source: TechRepublic – Google Play Scam Apps Hit 7.3M Downloads with Fake Call Logs