A new security flaw has been detected for the popular caller ID app Truecaller leaving over 100 Million Android devices vulnerable. The privacy bug was discovered by security researchers from the Cheetah Mobile Security Research Lab.
This vulnerability allows anyone to steal Truecaller users’ sensitive information. As per the Cheetah Mobile report, when the user first installs the Android app, they are prompted to enter their phone number, email address, and various other personal details.
This information is verified by phone call or SMS message, and when the user opens the app for the second time, no other login screens are ever shown again. According to security researchers, this is because the Truecaller uses the device’s IMEI to authenticate users.
This essentially means that anyone gaining the IMEI of a device will be able to get Truecaller users’ personal information (including phone number, home address, mail box, gender, etc.) and tamper app settings without users’ consent, exposing them to malicious phishers. As per the report, due to the flaw the attackers can modify a user’s application settings, disable spam blockers, add to a black list for users and delete a user’s blacklist.
Truecaller has provided details about the security update for the app saying that no user data has been compromised and it has taken steps to fix this issue and has released an update. The service is urging users to upgrade the app. Truecaller’s Android app was upgraded on March 22, according to Google Play Store listing.
Play Link – Truecaller