Cheetah Mobile security labs note a new vulnerability in the popular phone call management application Truecaller impacting numerous Android devices

http://www.cmcm.com/blog/en/security/2016-03-28/974.html

This vulnerability, which has been fixed in the latest Android update, could have allowed anyone to potentially gain access to Truecaller users’ information and change their call blocking settings. The millions of Android users who downloaded this app on their smartphones could be in danger.

The CM Security Research Lab recommends that Truecaller Android users update to the latest version on Google Play immediately. The researcher found that Truecaller uses devices’ IMEI as the only identity label of its users. Meaning that anyone gaining the IMEI of a device will be able to get Truecaller users’ personal information (including phone number, home address, mail box, gender, etc.) and tamper app settings without users’ consent, exposing them to malicious phishers.

By exploiting this flaw, the attackers can:

1. Steal personal information like account name, gender, e-mail, profile pic, home address, etc.
2. Modify a user’s application settings:
3. Disable spam blockers
4. Add to a black list for users
5. Delete a user’s blacklist