Recently, security researchers from the Cheetah Mobile Security Research Lab discovered a loophole in the popular phone call management application Truecaller. This vulnerability, which has been fixed in the latest Android update of the app, could have allowed anyone to potentially gain access to Truecaller users’ information and change their call blocking settings. The millions of Android users who downloaded this app on their smartphones could be in danger.
While our smartphones have definitely become more capable and smarter, the phone functionality itself has remained locked in the 20th century. There have been many attempts to make the phone app itself even smarter. Google’s dialer app is one. Third-party TrueCaller, which is making its way to the likes of Cyanogen OS and BLU Products devices, is another. Yet for all the convenience that the service might bring, one single design flaw potentially exposed the private details of 100 million Android users who have downloaded the app in good faith.
TrueCaller is practically a modern, glorified caller ID feature. These days it’s no longer enough to simply see the number that’s calling you, you need to be able to quickly identify whether it’s something you’d like to take or reject. TrueCaller identifies incoming calls and matches it with known numbers as well as those marked by users. It can quickly inform you if it’s spam you’d rather ignore. And in case there was an error or a new number came up, you can also mark those numbers appropriately to help grow and improve the identification.
The researcher found that Truecaller uses devices’ IMEI as the only identity label of its users. Meaning that anyone gaining the IMEI of a device will be able to get Truecaller users’ personal information (including phone number, home address, mail box, gender, etc.) and tamper app settings without users’ consent, exposing them to malicious phishers.
By exploiting this flaw, attackers can:
- Steal personal information like account name, gender, e-mail, profile pic, home address, etc.
- Modify a user’s application settings:
- Disable spam blockers
- Add to a black list for users
- Delete a user’s blacklist
The Cheetah Mobile Security Research Team notified the developer of Truecaller about this vulnerability as soon as they discovered the loophole and offered all it could to help the developer fix the issue. Now the maker of Truecaller has addressed the issue and released an update on March 22nd.
Although the flaw has been fixed in the latest version, the majority of the users are still in danger as they have not got access to the new release yet. Every Truecaller user should upgrade this app to the latest version as soon as possible.