Exploitable Flaw In TrueCaller App Found By Security Researchers

Exploitable Flaw In TrueCaller App Found By Security Researchers

The security researchers of Cheetah Mobile Security Research Lab have discovered an exploitable flaw in the Truecaller app that can exposed the all personal details about the millions of users. 

As all of you know that Truecaller is a Web-based service that indexed the phone numbers and also show their location and reference from where they occurred. 

Even users can easily block the incoming calls as well as the SMS messages just from the phone numbers that is categorized by the spam sources.

And this essential service available for some operating systems in the mobile such as – Windows-base phones, Android, iOS, Nokia Series 40 phones, Symbian devices as well as also available in the Blackberry.

This web service used an IMEI that is regarding to the only authentication process. That’s why whenever the user installs this Android app then the user enter their phone number, email address and many other personal details that will be needed in their authentication process. 

Then after that all these information which is given by the user is verified by the phone call or by the SMS message. And in the second time when user again opens the app then there is no other login screens that will ever shown again.

That’s why the security researchers determined that why the Truecaller uses the IMEI of the device of the authenticate users.

As a proof this concept is shared with  the Softpedia i.e.; Cheetah Mobile Security Lab Research and the researchers of that lab were able to found the personal details of the many other users that is based on an IMEI code which is able to interacting with the server of the app.

Whereas the attackers could gathered the data of the original users only based on the IMEI codes. And the servers could exploit the personal data of the users such as – The account name of user’s Truecaller id, the gender of the user, email address, profile image, home address and many other details whatever stored in the profile of the user.

Even the IMEI code also gives the permission to the researchers by which they can modified the settings of the user’s account. Then the researcher could appeared the preferences of the user’s personal app as well as they could easily disabled the spam blocker of the app and also they could add many other users into the block list of that user’s app. Even many times the attackers had delete the block list of the user by which the user can face many problems.

In these days most of the infostealer malware of the mobile can easily retrieve the data with the help of the IMEI code from the affected device and then they send these information to the C&C server.

 And now this defect can occurred in the Truecaller Android app that allows the attackers to connect the phones and found the original person with the help of the IMEI code.

Even attackers can use the technique to write the scripts of the random query in the IMEI code to found the all details about the original persons as well as use that information for spamming and for phishing process. 

The researcher of the Cheetah Mobile Security Lab Research informed the Truecaller about the problems with their app. 

Then on March 22,  the company updated their servers as well as also updated the Android app to protect the user’s information by this method. 

According to the statistics of the Google Play Store, currently the android app installed on over at least 100 million Android phones.

According to the report of the security researchers this flaw only occurred in the Android platforms. But the enquiries will be continued with the Cheetah Mobile Security Lab Research, if the flaw infected the app of the Truecaller in any other platforms then they should comment on this vulnerability.

In a blog post, the company said, whose app helps users find information about the caller and block telemarketers, wrote, "We recently found an issue where some user defined information can be retrieved or changed without the original user's consent, if a third person knows the IMEI number of the original person's device. "

Update:

Now the Truecaller said that, the issue has been fixed by new update.