Connect with us

Hi, what are you looking for?



Security Flaw in Truecaller Exposes Millions of Android Users

Popular phone call management application Truecaller was discovered to pack a remotely exploitable security flaw that potentially impacts 100 million Android users, researchers at Cheetah Mobile Security Research Lab warn.

Popular phone call management application Truecaller was discovered to pack a remotely exploitable security flaw that potentially impacts 100 million Android users, researchers at Cheetah Mobile Security Research Lab warn.

The vulnerability provides attackers with the possibility to steal sensitive information pertaining to Truecaller users, which could open the door to further attacks, the researchers explain. With over 100 million installs to date, the application potentially puts a large number of Android smartphones and users at risk.

According to Cheetah Mobile researchers, Truecaller uses a device’s IMEI to identify users, which means that an attacker able obtain the IMEI would be able to grab the personal information of that Truecaller user. This would include phone number, home address, mail box, gender, and more.

Users are required to provide all this information when first installing Truecaller for Android, and the application verifies accounts via a phone call or SMS message. After this initial setup, users are not required to provide login information when opening the application, because the software uses the device IMEI to authenticate them.

In addition to stealing information, attackers would also be able to modify app settings without user consent, exposing them to malicious phishers, researcher say. Furthermore, they suggest that attackers leveraging this vulnerability could also disable spam blockers on the affected devices and tamper with a user’s blacklist.

Cheetah Mobile researchers said that Truecaller was informed on the vulnerability as soon as it was discovered, and that the developer addressed the issue in an update version of the application released on March 22. However, since the majority of users still don’t have access to the update, they are still exposed.

By leveraging the vulnerability, attackers capable of having device IMEIs sent to their servers would also be able to associate these numbers with real users, thus being able to conduct more targeted attacks. To stay protected, users should update the software to the latest version as soon as possible.

Advertisement. Scroll to continue reading.

Android has become the target of choice for many cybercriminals due to its high market share in the mobile segment, which allows attackers to target millions of users at the same time. Vulnerable applications, security flaws in Android itself, and malware developer’s ability to circumvent security checks, and the large number of Android malware families provide a large attack surface for opportunists.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.