A popular caller ID Android application that blocks incoming spam callers has a privacy flaw that threatens to expose the personal information of over 100 million users.
The Truecaller Android application only used International Mobile Station Equipment Identity (IMEI) numbers to identify its users, according to a blog posted by Cheetah Mobile, the research team that discovered the vulnerability. Remote attackers could exploit this flaw to gain access to phone number, home address, and other personal information. Attackers can also remotely change a user's application settings, including disabling spam blockers or deleting a user's blacklist. The Truecaller app has Android and iOS versions, although only the Android app is affected.
Truecaller stated in a security update posted Monday that no user information was compromised.
In July 2013, Syrian Electronic Army said it compromised more than 1 million Truecaller accounts by gaining access to seven company databases. The pro-Assad hacking collective is allegedly linked to the three individuals indicted by the Justice Department last week.