Truecaller AH

Truecaller Security Flaw Leaves Millions Vulnerable

March 29, 2016 - Written By Kishalaya Kundu

A security vulnerability found in the popular phone number indexing app, Truecaller, is apparently capable of exposing the personal details of those who use the service. The vulnerability is allegedly exploitable remotely without physical access to the phone, and was discovered recently by security researchers at Cheetah Mobile, the Chinese software company known for its ubiquitous Clean Master Android app. As for Truecaller, the app is currently available on a whole host of operating systems, including Android, iOS, Windows Mobile, BlackBerry OS, Nokia Series 40 and Symbian. As many as 100 million people worldwide were originally said to have been vulnerable to the privacy bug, but what’s reassuring is that the security hole has apparently been patched up in the latest update rolled out to the app by the developers – True Software Scandinavia AB.

As per the proof-of-concept demonstration by researchers at Cheetah Mobile, just the IMEI code of any mobile device using the Truecaller app would be enough for hackers to retrieve personal details of those users. The data, thus derived, may include the user’s “Truecaller account name, his gender, email address, profile image, home address and whatever else was stored in his profile” as per the assertion of the research team over at Cheetah. What’s more, the availability of the IMEI code would also allow hackers to modify account settings on the users’ phones remotely, and in the course of the demonstration, the researchers claim they were able to alter users’ personal app preferences, disable the app’s spam blocker, create a new block list by deleting the original one and actually add other users to the newly-created block list. All this, without any physical access to the victim’s phone whatsoever.

Cheetah Mobile says that before publicly announcing the major security flaw, it intimated the developer of the app, who now claim to have patched up the vulnerability. The updated software landed on Google Play on the 22nd of this month, and both Truecaller and Cheetah Mobile are advising users to update as soon as possible to the latest version of the app so as to avoid any privacy issues, especially now that the vulnerability has been disclosed publicly. One thing that needs to be mentioned here is that Cheetah Mobile only found the vulnerability in the Android version of the app and it says that it is “still evaluating” whether or not the iOS version is also affected by the same issue.