Truecaller users should update to the latest version oft he app right away to avoid having their data exposed

Mar 28, 2016 13:00 GMT  ·  By

A remotely exploitable flaw in the Truecaller app exposes the personal details of millions of users, security researchers from Cheetah Mobile Security Research Lab have discovered.

Truecaller is a Web service that indexes phone numbers and then classifies them. Users who install Truecaller's mobile apps can block incoming calls or SMS messages from phone numbers categorized as spam sources.

The service has apps for Android, iOS, Windows-based phones, Nokia Series 40 phones, Symbian devices, and BlackBerry.

Truecaller used an IMEI-only user authentication procedure

When the user first installs the Android app, they are prompted to enter their phone number, email address, and various other personal details. This information is verified by phone call or SMS message, and when the user opens the app for the second time, no other login screens are ever shown again.

Security researchers discovered that this is because the Truecaller uses the device's IMEI to authenticate users.

In proof-of-concept code shared with Softpedia, Cheetah Mobile researchers were able to retrieve personal details for other users based on an IMEI code just by interacting with the app's servers.

Attackers could harvest data on real users based on IMEI codes

The servers exposed data such as the user's Truecaller account name, his gender, email address, profile image, home address, and whatever else was stored in his profile.

Additionally, the IMEI code also allowed the researchers to modify account settings. They altered the user's personal app preferences, they disabled the app's spam blocker, they added other users to the block list, and they deleted the user's block list.

Taking into account that any basic mobile infostealer malware these days can retrieve the IMEI code from infected devices and send it to a C&C server, this flaw in the Truecaller Android app allows attackers to tie phones and IMEI codes to real persons.

Attackers can also write scripts that query random IMEI codes to discover details about real persons and use them in spam and phishing campaigns.

Cheetah Mobile researchers informed Truecaller of their problem, and the company updated their servers and Android app on March 22 to prevent abuse via this method. Google Play store statistics say the app is currently installed on over 100 million Android phones.

From the security firm's report, this seemed to be an issue exploitable via the Android app. We made inquiries with Cheetah Mobile to see if the flaw also affected Truecaller's apps for other platforms. We've also contacted Truecaller for comments on this vulnerability, but since it's the Easter holiday, it may take a while to hear back.

UPDATE: We've heard back from Cheetah Mobile and they said they're still in the process of testing the exploit on Truecaller's iOS version.

UPDATE 2: Truecaller also posted a blog post alerting users and recommending an immediate update to the latest Android app version.