Truecaller Fixes Data Leaking Hole in Android App

Truecaller

Truecaller, an app that specializes in phone call management, has patched a hole that inadvertently leaked user information.

Researchers are encouraging Android users who may have downloaded a popular caller identification application to update, as a previous version of the app inadvertently leaked user information.

The app, Truecaller, specializes in phone call management and has been installed at least 100,000,000 times, according to its listing on Google’s Play marketplace. While the app is also available for iPhone, Windows, and Blackberry devices, this particular issue only exists in the app’s Android build.

The main issue with the app, researchers at China-based Cheetah Mobile Security claim, is that it uses device’s IMEI, or International Mobile Station Equipment Identity number, to identify users. If an attacker was able to get ahold of another users’ number, they could in turn, get access to other, potentially sensitive information.

Researchers claim attackers could use the 15-digit number to steal information like users’ names, genders, email addresses, profile pictures, and home addresses.

Attackers could be a bit of a nuisance and apparently modify Truecaller application-specific settings with the number, as well. Like a lot of caller ID and call management apps, Truecaller gives users the ability to block, or filter unwanted calls or hidden numbers with blacklists. With the IMEI number an attacker could add to a blacklist, delete a blacklist, or disable user’s spam blocker.

Developers with the app pushed a new, patched version on March 22 after being notified of the issue by researchers. For what it’s worth, the company, who disclosed the issue yesterday along with Cheetah, claim they haven’t encountered any suspicious activity around the bug but are still urging users to update if they haven’t already been prompted by their devices.

It’s likely an attacker would have a more difficult time actually collecting a user’s IMEI number than carrying out an attack through the loophole Truecaller fixed. IMEI numbers, which are used by GSM networks to identify valid devices, are bound to devices, so in most situations an attacker would have to have physical access to a victim’s phone to get ahold of it.

That said, Android malware has been keen on mining sensitive information like a users’ IMEI and SIM card numbers as of late. Last year, researchers with Zscaler noticed an .APK disguised as a Word document making the rounds. If a user elected to install it, the malware would send those numbers, along with SMS messages and other contact information to hackers.

Other types of malware, including one which mimicked a battery app, and one that masqueraded as a security app, have also been spotted sending along information about infected phones – including IMEI numbers – to attackers, over the years.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.