Some researchers have discovered a remotely exploitable vulnerability in Called ID app named “Truecaller” that could expose personal details of Millions of its users.

Truecaller is a popular app that claims to “search and identify any phone number,” as well as helps users block incoming calls or SMSes from phone numbers categorized as spammers and telemarketers.
The service has mobile apps for across mobile OS likeAndroid, iOS, Windows, Symbian devices and BlackBerry phones.

The vulnerability itself is discovered by Cheetah Mobile Security Research Lab. Its affects Truecaller Android version. Its has been downloaded more than 100 Million times. So, technically over 100 million users is in risk right now.

The Problem

The problem located in the way Truecaller identify users in its Android and other mobile operating systems. Truecaller Android app asks users to enter their phone number, email address, and other personal details, which is verified by phone call or SMS message. Then, whenever users open the app, no login screen is ever shown again.
Basically Truecaller uses the device’s IMEI to authenticate users, according to researchers.

“Anyone gaining the IMEI of a device will be able to get Truecaller users’ personal information (including the phone number, home address, mail box, gender, etc.) and tamper app settings without users’ consent, exposing them to malicious phishers,” Cheetah Mobile wrote in a blog post.

Cheetah Mobile researchers told The Hacker News that they were able to retrieve personal data belonged to other users with the help of exploit code just by interacting with Truecaller’s servers.

For the worst scenario, the attackers can:

  • Steal personal information like account name, gender, e-mail, profile pic, home address, and more.
  • Modify a user’s application settings.
  • Disable spam blockers.
  • Add to a black list for users.
  • Delete a user’s blacklist.

According to Cheetah Mobile,  Truecaller has been informed of this flaw, and the company updated their servers as well as released an upgraded version of its Android app on March 22 in order to prevent abuse exploiting this flaw.
Truecaller said in its blog post published Monday that the vulnerability did not compromise any of its user information.

If you haven’t, download the latest version of Truecaller for your Android devices from the Google Play Store Now!