Over 100 million Android phones put at risk by Truecaller flaw

Vulnerability could have resulted in identity theft and phishing.

Truecaller

More than 100 million Android devices are vulnerable to identity theft and phishing attacks as a result of a recently discovered flaw in a phone call management app called Truecaller.

On Monday, security researchers at Cheetah Mobile published a blog post in which they discuss how the bug allows bad actors to steal users' personal information, which could open the door to subsequent attacks against the platform's users.

Truecaller is a service available for Android, iOS, and Symbian devices as well as Blackberry phones. It enables users to search for phone numbers, block incoming calls/text messages from spammers and telemarketers, as well as connect with friends.

This recently discovered security issue ultimately rests with how Truecaller authenticates its users, as Cheetah Mobile explains:

"The researcher found that Truecaller uses devices' IMEI as the only identity label of its users. Meaning that anyone gaining the IMEI of a device will be able to get Truecaller users' personal information (including phone number, home address, mail box, gender, etc.) and tamper app settings without users' consent, exposing them to malicious phishers."

Truecaller

IMEI is an abbreviation for International Mobile Station Equipment Identity. It is a number that is used to identify every 3GPP and iDEN mobile phone, GSM modem, or device with a built-in phone/modem. This 15-digit number is commonly printed on the inside of a phone's battery compartment. However, a user can usually find out their phone's IMEI by entering in *#06# on the dialpad.

Cheetah Mobile notes that by obtaining a Truecaller user's IMEI, an attacker could steal their personal information, modify their settings, disable spam blacking, and add or delete blacklists.

Truecaller apps

At this time, no user information is believed to have been compromised as a result of this flaw. Even better, Truecaller has already released an update fixing the bug.

But there's a catch, according to Cheetah Mobile:

"Although the flaw has been fixed in the latest version, the majority of the users are still in danger as they have not got access to the new release yet. The CM Security Research Lab advises Truecaller users to upgrade this app to the latest version as soon as possible."

If you have the Truecaller mobile app installed on your Android, please install the newest version from the Google Play Store here.

In the meantime, those who have Truecaller installed on other mobile platforms should sit tight. The company is currently testing to see whether iOS users are also affected by the bug.

Tags: , ,

Subscribe to the free GCHQ newsletter

, ,

Leave a reply

4 Comments on "Over 100 million Android phones put at risk by Truecaller flaw"

Notify of
avatar

Sort by:   newest | oldest | most voted
Mark Jacobs
Visitor
Mark Jacobs
March 30, 2016 3:29 pm

Wow, there are 100 million idiots out there! ;-)

denis urbano
Visitor
denis urbano
March 30, 2016 6:08 pm

And some people still think that a person using an iPhone is crazy, fanatic and limited.

HMM
Visitor
HMM
April 7, 2016 2:46 pm

Well in some way they are… still I own both type of platforms both have their pros and cons.
But at the end of the day it is user that make difference if you are installing apps like mad have no a-virus software on phone and or rooted/jailbreak phone it is you who is to blame.

Peter
Visitor
Peter
March 30, 2016 9:14 pm

We not think,we are sure Apple users only buy the device because of the name. Iphones are old fashion, the software and device ar 2 years behind andriod versions. It's not open an way to expensive for what u get. Security issues i never had for the last 6 years. Before I used Iphones, waste of money.

wpDiscuz