Leak in Truecaller app gave access to data of millions of Android users

Spread the love

The Android version of the popular app Truecaller gave access to its users’ data. The app, which makes it possible to identify incoming calls, among other things, has been downloaded more than a hundred million times for that platform. A patch has since been released.

According to security researchers at Cheetah Mobile, the vulnerability allows an attacker to access information such as name, gender, email address and home address via the user’s imei number. An attacker can also change settings, such as disabling spam blocks and modifying the block list. Truecaller reports that malicious parties have not exploited the vulnerability.

The vulnerability stems from the fact that Truecaller uses the imei number of a mobile phone to identify users. This would allow any attacker in possession of that number to request the data. It is not described which technique could be used for this. Retrieving an imei number is possible, for example, through the use of other malware. The Truecaller leak can thus establish a connection between that number and a user.

The developers of the app released a patch on March 22, the new version is available through the Play Store. It is therefore recommended that users perform an update. The researchers have informed Softpedia that they are still investigating whether there is also a vulnerability in the iOS version of the app.

You might also like