More than 100 million Android devices are vulnerable to identity theft and phishing attacks as a result of a recently discovered flaw in a phone call management app called Truecaller.
On Monday, security researchers at Cheetah Mobile published a blog post in which they discuss how the bug allows bad actors to steal users’ personal information, which could open the door to subsequent attacks against the platform’s users.
Truecaller is a service available for Android, iOS, and Symbian devices as well as Blackberry phones. It enables users to search for phone numbers, block incoming calls/text messages from spammers and telemarketers, as well as connect with friends.
This recently discovered security issue ultimately rests with how Truecaller authenticates its users, as Cheetah Mobile explains:
“The researcher found that Truecaller uses devices’ IMEI as the only identity label of its users. Meaning that anyone gaining the IMEI of a device will be able to get Truecaller users’ personal information (including phone number, home address, mail box, gender, etc.) and tamper app settings without users’ consent, exposing them to malicious phishers.”
IMEI is an abbreviation for International Mobile Station Equipment Identity. It is a number that is used to identify every 3GPP and iDEN mobile phone, GSM modem, or device with a built-in phone/modem. This 15-digit number is commonly printed on the inside of a phone’s battery compartment. However, a user can usually find out their phone’s IMEI by entering in *#06# on the dialpad.
Cheetah Mobile notes that by obtaining a Truecaller user’s IMEI, an attacker could steal their personal information, modify their settings, disable spam blacking, and add or delete block-lists.
At this time, no user information is believed to have been compromised as a result of this flaw. Even better, Truecaller has already released an update fixing the bug.
But there’s a catch, according to Cheetah Mobile:
“Although the flaw has been fixed in the latest version, the majority of the users are still in danger as they have not got access to the new release yet. The CM Security Research Lab advises Truecaller users to upgrade this app to the latest version as soon as possible.”
If you have the Truecaller mobile app installed on your Android, please install the newest version from the Google Play Store here.
In the meantime, those who have Truecaller installed on other mobile platforms should sit tight. The company is currently testing to see whether iOS users are also affected by the bug.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.