RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: google-play (2 articles)Clear
threat
2026-05-08

28 fake apps on Google Play tricked 7.3 million Indian users into paying for fake call logs - charging up to $80 a year for fabricated data

ESET disclosed CallPhantom, a campaign of 28 fraudulent Android apps on Google Play that promised to reveal call histories, SMS records, and WhatsApp call logs for any phone number. Combined downloads: 7.3 million. After payment (weekly, monthly, or annual subscriptions up to $80), users receive fabricated phone numbers and names hardcoded into the apps. Targeting was India-focused (apps came pre-set with +91 country code and UPI integration via Google Pay, PhonePe, and Paytm) plus broader Asia-Pacific. Some apps embedded direct credit card forms, violating Play policy and making refunds harder. Google removed the 28 apps after ESET's report.

callphantomesetgoogle-playandroid-fraudsubscription-scamindiaapacupigoogle-payphonepepaytmgoldfactory-related7-3m-downloads
Check
If your organization issues Android devices to staff in India or APAC, check Google Play purchase histories for active subscriptions to call-history apps. Review corporate phone bills for unexpected UPI charges since November 2025.
Affected
Android users in India and broader Asia-Pacific, particularly those who searched Play Store for tools to retrieve call logs, SMS records, or WhatsApp histories. Indian users are the primary target due to UPI integration - 7.3M+ confirmed downloads. Corporate-issued Android devices used for personal app downloads face the same risk.
Fix
Cancel any active CallPhantom subscriptions through Play Store - Google has removed the apps. Request refunds via Play Store (subject to Google's time windows). For UPI-paid subscriptions, contact your UPI provider directly. Brief staff that no legitimate consumer app can reveal call logs of arbitrary phone numbers. For corporate fleets: apply MDM policies that block sideloading.
threat
2026-04-01

NoVoice Android rootkit hid inside 50+ Google Play apps - 2.3 million downloads, survives factory reset

McAfee uncovered a rootkit campaign called Operation NoVoice that distributed malware through more than 50 legitimate-looking apps on Google Play - cleaners, games, and gallery tools - downloaded at least 2.3 million times. Once opened, the apps silently profile the device and download root exploits targeting Android vulnerabilities patched between 2016 and 2021. After rooting, the malware replaces core system libraries so every app the user opens runs attacker code. It survives factory resets on older devices because the payload lives on the system partition.

androidgoogle-playrootkitnovoicewhatsappmobile
Check
Check your Android fleet for devices running security patch levels older than May 2021, and audit for any of the removed apps.
Affected
Android devices with security patch level before 2021-05-01. The rootkit primarily targets older or unpatched devices, though patched devices that installed the apps may have been exposed to other payloads.
Fix
Update Android devices to security patch level 2021-05-01 or later. Devices confirmed infected on Android 7 or older require a full firmware reflash - factory reset will not remove the rootkit. Remove any apps matching the McAfee IOC list. Consider MDM policies that block app installs from unknown or low-reputation publishers.