Popular phone call management application Truecaller was discovered to pack a remotely exploitable security flaw that potentially impacts 100 million Android users, researchers at Cheetah Mobile Security Research Lab warn.
The vulnerability provides attackers with the possibility to steal sensitive information pertaining to Truecaller users, which could open the door to further attacks, the researchers explain. With over 100 million installs to date, the application potentially puts a large number of Android smartphones and users at risk.
According to Cheetah Mobile researchers, Truecaller uses a device's IMEI to identify users, which means that an attacker able obtain the IMEI would be able to grab the personal information of that Truecaller user. This would include phone number, home address, mail box, gender, and more.
Users are required to provide all this information when first installing Truecaller for Android, and the application verifies accounts via a phone call or SMS message. After this initial setup, users are not required to provide login information when opening the application, because the software uses the device IMEI to authenticate them.
In addition to stealing information, attackers would also be able to modify app settings without user consent, exposing them to malicious phishers, researcher say. Furthermore, they suggest that attackers leveraging this vulnerability could also disable spam blockers on the affected devices and tamper with a user’s blacklist.
Cheetah Mobile researchers said that Truecaller was informed on the vulnerability as soon as it was discovered, and that the developer addressed the issue in an update version of the application released on March 22. However, since the majority of users still don’t have access to the update, they are still exposed.
By leveraging the vulnerability, attackers capable of having device IMEIs sent to their servers would also be able to associate these numbers with real users, thus being able to conduct more targeted attacks. To stay protected, users should update the software to the latest version as soon as possible.
Android has become the target of choice for many cybercriminals due to its high market share in the mobile segment, which allows attackers to target millions of users at the same time. Vulnerable applications, security flaws in Android itself, and malware developer’s ability to circumvent security checks, and the large number of Android malware families provide a large attack surface for opportunists.