Over 100 million Android phones put at risk by Truecaller flaw

Vulnerability could have resulted in identity theft and phishing.

David bisson
David Bisson


More than 100 million Android devices are vulnerable to identity theft and phishing attacks as a result of a recently discovered flaw in a phone call management app called Truecaller.

On Monday, security researchers at Cheetah Mobile published a blog post in which they discuss how the bug allows bad actors to steal users’ personal information, which could open the door to subsequent attacks against the platform’s users.

Truecaller is a service available for Android, iOS, and Symbian devices as well as Blackberry phones. It enables users to search for phone numbers, block incoming calls/text messages from spammers and telemarketers, as well as connect with friends.

Sign up to our free newsletter.
Security news, advice, and tips.

This recently discovered security issue ultimately rests with how Truecaller authenticates its users, as Cheetah Mobile explains:

“The researcher found that Truecaller uses devices’ IMEI as the only identity label of its users. Meaning that anyone gaining the IMEI of a device will be able to get Truecaller users’ personal information (including phone number, home address, mail box, gender, etc.) and tamper app settings without users’ consent, exposing them to malicious phishers.”


IMEI is an abbreviation for International Mobile Station Equipment Identity. It is a number that is used to identify every 3GPP and iDEN mobile phone, GSM modem, or device with a built-in phone/modem. This 15-digit number is commonly printed on the inside of a phone’s battery compartment. However, a user can usually find out their phone’s IMEI by entering in *#06# on the dialpad.

Cheetah Mobile notes that by obtaining a Truecaller user’s IMEI, an attacker could steal their personal information, modify their settings, disable spam blacking, and add or delete block-lists.

Truecaller apps

At this time, no user information is believed to have been compromised as a result of this flaw. Even better, Truecaller has already released an update fixing the bug.

But there’s a catch, according to Cheetah Mobile:

“Although the flaw has been fixed in the latest version, the majority of the users are still in danger as they have not got access to the new release yet. The CM Security Research Lab advises Truecaller users to upgrade this app to the latest version as soon as possible.”

If you have the Truecaller mobile app installed on your Android, please install the newest version from the Google Play Store here.

In the meantime, those who have Truecaller installed on other mobile platforms should sit tight. The company is currently testing to see whether iOS users are also affected by the bug.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

4 comments on “Over 100 million Android phones put at risk by Truecaller flaw”

  1. Mark Jacobs

    Wow, there are 100 million idiots out there! ;-)

  2. denis urbano

    And some people still think that a person using an iPhone is crazy, fanatic and limited.

    1. HMM · in reply to denis urbano

      Well in some way they are… still I own both type of platforms both have their pros and cons.
      But at the end of the day it is user that make difference if you are installing apps like mad have no a-virus software on phone and or rooted/jailbreak phone it is you who is to blame.

  3. Peter

    We not think,we are sure Apple users only buy the device because of the name. Iphones are old fashion, the software and device ar 2 years behind andriod versions. It's not open an way to expensive for what u get. Security issues i never had for the last 6 years. Before I used Iphones, waste of money.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.