A Small Set of Android Apps Exposed the Data of Over 100 Million Users
Last updated September 25, 2021
A Saudi caller ID app named “Dalil” that has been downloaded by over 5 million people has been leaking its users’ data for over a week now, with the unprotected MongoDB database being still available online and wide open for anyone to access. The researchers who discovered the particular database are Noam Rotem and Ran Locar, and despite their efforts in reaching out to the app developers, they have failed to receive a response. The data that is accessible is highly sensitive, including the personal details as well as the activity logs of all users, such as full name, email, Viber account, device IMEI, SIM number, MAC address, GPS coordinates, and more.
"Dalil App" with over 5,000,000 installs leaks over 585,7GB of users data through not secured MongoDB.
Leaks:
phone numbers
user names
emails
IP
GPS location
call logs
...Developer didn't fix the issue, maybe it's time to start using different app.https://t.co/IQF4bySIRf pic.twitter.com/SKH6LJVjCF
— Lukas Stefanko (@LukasStefanko) March 6, 2019
As the app is mainly targeted to Saudis, the majority of the affected users are from Saudi Arabia, but a few Israeli, Egyptian, Emirati, and Palestinian numbers are also to be found in the unprotected database. The information that is currently available to anyone allows for the seamless tracking of the compromised accounts, as the GPS coordinates expose the position of the owners in real time. This means that it is imperative for all existing users to stop using Dalil, and uninstall it from their devices. As seen in the accessible database, former users are wiped out, and only active user accounts are still logged. This shows that the open database is connected to the “main operation” server, getting daily updates and currently counting over 585 GB of data.
As Ran Locar told ZDNet, in the last month alone, Dalil had 208,000 new user registrations, so everything is operational as if nothing is wrong. In fact, the researcher has discovered that at some point, a threat actor accessed the database and proceeded to encrypt some of the data. The developers of Dalil didn’t notice the breach, nor the ransom note that the actor left behind. Characteristically, they continued using the same database to store new user data and activity logs, allowing for a similar attack to take place in the future. Whether the Dalil app developers are irresponsible, incompetent, or have simply left their project on autopilot mode doesn’t really matter. The main point is for the Dalil users to be informed of the fact that their location data, as well as other highly sensitive information, is openly available to anyone in real time, and that they need to stop using it immediately.
Are you using, or have you ever used Dalil in the past? Share your experience in the comments section below. Also, help us spread the word by sharing this post through our socials, on Facebook and Twitter.