News  Android
Android Truecaller exposes millions of users data

Millions of devices hit

Truecaller has been around a while now, and unfortunately is no stranger to being on the receiving end of the bad guys attention.

This is largely due to its age and user base - over 100 million - and its profile, at one point even falling victim to the "Syrian electronics army".

Recently Cheetah Mobile Security Research Lab has discovered a remotely exploitable flaw in the system which allows the attackers to steal their victims sensitive information, as well as modify their application settings such as deleting a users blacklist, etc. 

IMEI used as attack vector

It turns out Truecaller only uses the devices IMEI as a means to identify its users. The consequence of this is that, because the service is based of servers authenticating users this way, it is possible to spoof them into thinking they are processing a legitimate users instructions.

The data exposed included the user's Truecaller account name, his gender, email address, profile image, home address, and whatever else was stored in his profile.

Additionally, the IMEI code also allowed the researchers to modify the users account settings. They altered their personal app preferences, they disabled the app's spam blocker, they added other users to the block list and they deleted the users block list.

truecaller 700x360

The Cheetah Mobile Security Research Team notified Truecaller about this vulnerability as soon as they discovered the vulnerability and offered all it could to help the developer fix the issue. Now the maker of Truecaller has addressed the issue and released an update and encourages all Android users to update to the current version as soon as possible.