Truecaller App Fixed Critical Flaw Affecting Both Android and iOS

Last updated September 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist
Source: truecaller.com

Truecaller, a spam-call blocking app that is used by approximately 250 million people on both the Android and iOS platforms has rushed to fix a critical security flaw over the weekend. The vulnerability was discovered by Indian security researcher Ehraz Ahmed, who probably thought it would be a good idea to look into the app since it’s so popular in India. The flaw allows an attacker to inject their malicious link as a profile URL, exploiting a victim who could be viewing the malicious profile, or even served with a pop up of it.

The researcher hasn’t published the details of the vulnerability yet, as the company is still pushing fixes to the users and not all of them have updated to the latest available version. However, he did upload a video demonstrating the proof of concept that he developed on YouTube. Ahmed points out that the particular PoC is relatively benign, and that attackers could mount serious attacks to their targets. As the flaw impacts Truecaller’s API, it affects all application versions and platforms. It is worth to mention that the company behind the app tried to play down the severity of the bug, taking advantage of the fact that Ahmed didn’t opt to showcase the worst-case scenarios of the flaw.

Instead, the researcher simply demonstrated his capacity to fetch the user’s IP address, user-agent, and time. For the victim, this activity isn’t apparent, so they could be exploited without any indication whatsoever. If you have updated to the latest Truecaller app version, you should be safe since August, as the software developer has responded very quickly following the report. They are now partnering with the security researching community, and they also plan to announce a bounty program shortly so as to find and fix flaws like the above before a malicious actor does.

Truecaller and apps like that are meant to help people identify callers and SMS senders, essentially helping in the blocking of spam calls and telemarketers. However, this is not the only means through which you can enjoy peace of mind on your smartphone. If you’re in India for example, sending “START 0” to 1909 will activate your telecom provider’s “do not disturb” (DND) services. In other countries, you can figure out what the promotional database registry is and have your number removed from it. Usually, it’s as simple as sending an SMS message and waiting for a couple of days for the change to take effect.

Are you one of Truecaller’s 250 million users? Share your thoughts with us in the comments down below, or join the discussion on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: