TrueCaller: Be Careful Who You are Calling

Smart phones are omnipresent. People are walking with them for recreation, using them on the way to work and often during work while looking at the small monitor into our lives. On the weekends people of all ages are shopping at the mall, checking email and looking up prices of goods from competitors and using social media. This is not limited by location or age, with tweens and elders, and everyone in between using smart phones to stay connected across the country.
Not all smart phones are made alike. The smart phones they are using are divided into two primary camps-the Android and iPhone. There are other platforms, however they generally are not significant players. Smart phones, much like computers provide yet another opportunity for hackers to attack and to leverage information this into cash flow for those with malicious intent.
The Apple platform has historically not been a hotbed of vulnerabilities. Over the last few years there have only been a handful of malware examples related to Apple that have been noted. This is not significant when compared to the Android phones. The Android smart phones have over time been a primary target of attack. One of these recently has been TrueCaller.
Description
TrueCaller is a service which allows people to search for phone numbers, block incoming calls, and text messages from selected numbers. This is also used for spammers, telemarketers and to connect with friends. When first encountered, this vulnerability was labeled with a medium severity, but was upgraded to critical when a zero day was discovered.
Attack
The attack itself exploits the TrueCaller process. TrueCaller uses the IMEI (International Mobile Station Equipment Identity) for the specific phone. This is comparable to our social security number. Each IMEI is unique. If the attacker happens to know the IMEI of the target phone, the attacker could secure a host of information about the other party’s phone number, home address, mail box, gender, etc. The vulnerability also allows the attacker to modify the settings, disable spam settings, and add/delete blacklists. This can be quite disastrous for the user if exploited.
Mitigations
Although this can make the user’s life quite interesting, there are a few steps the user can take in order to decrease the potential for this to affect the user. A patch was released on March 16, 2016. The user still should install the updated version of the app. The updated app would also have the code to fix the issue.

 

The Android, unlike the Apple platform is an ongoing target for hackers to manipulate. The patch for TrueCaller may alleviate that particular vulnerability, but users of the platform should be aware that every time they seek to download an app they run the risk of obtaining a piece of malicious coding that can be very troubling.

 

To learn more about how to protect yourself and your business visit the National Cybersecurity Institute and learn about our training programs, certification preparation, and many free resources.

 

Charles Parker, II, has been coding since the mid-1980’s, and has been working in the finance, auto manufacturer, and health industries seeking secure solutions for issues for over 17 years. Charles has an MBA, MSA, JD, LLM, and is a doctoral candidate for a PhD in Information Assurance and Security.