Android App Hole Reveals Data

Wednesday, April 6, 2016 @ 10:04 AM gHale


A remotely exploitable flaw in the Truecaller app exposes personal details of millions of users, researchers said.

Truecaller is a Web service that indexes phone numbers and then classifies them. Users who install Truecaller’s mobile apps can block incoming calls or SMS messages from phone numbers categorized as spam sources, said researchers at Cheetah Mobile Security Research Lab.

RELATED STORIES
Android Hole gets Emergency Patch
New Stagefright Exploit Hits Android, Again
Trojan Focuses on Android
Google Fixes Android Vulnerabilities

The service has apps for Android, iOS, Windows-based phones, Nokia Series 40 phones, Symbian devices, and BlackBerry.

When the user first installs the Android app, they are prompted to enter their phone number, email address, and various other personal details. This information ends up verified by phone call or SMS message, and when the user opens the app for the second time, no other login screens are ever shown again, the researchers said.

Security researchers discovered this is because Truecaller uses the device’s IMEI to authenticate users.

In proof-of-concept code, Cheetah Mobile researchers were able to retrieve personal details for other users based on an IMEI code just by interacting with the app’s servers.

The servers exposed data such as the user’s Truecaller account name, his gender, email address, profile image, home address, and whatever else was stored in his profile.

Additionally, the IMEI code also allowed researchers to modify account settings. They altered the user’s personal app preferences, disabled the app’s spam blocker, added other users to the block list, and deleted the user’s block list.

Basic mobile infostealer malware can retrieve the IMEI code from infected devices and send it to a C&C server, so this flaw in the Truecaller Android app allows attackers to link phones and IMEI codes to real persons.

Attackers can also write scripts that query random IMEI codes to discover details about real persons and use them in spam and phishing campaigns.

Cheetah Mobile researchers contacted Truecaller and the company updated their servers and Android app on March 22. Google Play Store statistics say the app is currently installed on over 100 million Android phones.

Cheetah Mobile said they’re still in the process of testing the exploit on Truecaller’s iOS version.

Truecaller also posted an alert updating users and recommending to upgrade to the latest Android app version.