RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: eset (2 articles)Clear
threat
2026-05-08

28 fake apps on Google Play tricked 7.3 million Indian users into paying for fake call logs - charging up to $80 a year for fabricated data

ESET disclosed CallPhantom, a campaign of 28 fraudulent Android apps on Google Play that promised to reveal call histories, SMS records, and WhatsApp call logs for any phone number. Combined downloads: 7.3 million. After payment (weekly, monthly, or annual subscriptions up to $80), users receive fabricated phone numbers and names hardcoded into the apps. Targeting was India-focused (apps came pre-set with +91 country code and UPI integration via Google Pay, PhonePe, and Paytm) plus broader Asia-Pacific. Some apps embedded direct credit card forms, violating Play policy and making refunds harder. Google removed the 28 apps after ESET's report.

callphantomesetgoogle-playandroid-fraudsubscription-scamindiaapacupigoogle-payphonepepaytmgoldfactory-related7-3m-downloads
Check
If your organization issues Android devices to staff in India or APAC, check Google Play purchase histories for active subscriptions to call-history apps. Review corporate phone bills for unexpected UPI charges since November 2025.
Affected
Android users in India and broader Asia-Pacific, particularly those who searched Play Store for tools to retrieve call logs, SMS records, or WhatsApp histories. Indian users are the primary target due to UPI integration - 7.3M+ confirmed downloads. Corporate-issued Android devices used for personal app downloads face the same risk.
Fix
Cancel any active CallPhantom subscriptions through Play Store - Google has removed the apps. Request refunds via Play Store (subject to Google's time windows). For UPI-paid subscriptions, contact your UPI provider directly. Brief staff that no legitimate consumer app can reveal call logs of arbitrary phone numbers. For corporate fleets: apply MDM policies that block sideloading.
threat
2026-04-23

China-linked spies named 'GopherWhisper' targeted Mongolian government using Slack, Discord, and Outlook drafts as their command channel

ESET disclosed GopherWhisper, a previously undocumented China-linked spy group active since at least November 2023 and targeting Mongolian government systems. The group's defining trick: instead of building its own command-and-control servers, it sends instructions through ordinary cloud services - private Slack channels, Discord servers, Outlook draft email folders, and the file.io file-sharing service. Because the malware traffic looks like normal Slack and Discord usage, network monitoring tools largely ignore it. ESET extracted thousands of operator messages from the attackers' own Slack and Discord workspaces, and even found a 'How to write RATs.txt' file in their Downloads folder.

gopherwhisperchina-aptmongoliaslackdiscordoutlook-draftscloud-c2living-off-the-cloudfile-ioeset
Check
Audit which corporate endpoints have outbound access to slack.com, discord.com, graph.microsoft.com, and file.io without a clear business reason.
Affected
Organizations with operations in Mongolia or staff working on Indo-Pacific affairs. More broadly: any environment where outbound HTTPS to Slack, Discord, Microsoft Graph, or file.io is allowed by default - which is most corporate networks. Build servers, jump hosts, and developer machines are at acute risk because they need outbound HTTPS but have no business reason to talk to Slack or Discord.
Fix
Restrict outbound HTTPS to Slack, Discord, and file.io to only endpoints with a documented business reason. Alert on outbound traffic to those services from servers and developer machines that shouldn't be using them. In Microsoft 365, audit OAuth grants and alert on draft email creation in unfamiliar mailboxes. Block file.io entirely if you have no use case. ESET's GitHub repo lists the indicators.