These two words threatened the very existence of Truecaller, after a user’s chance discovery went viral, last week. The app, which actively filters spam calls and messages for more than 100 million smartphone users in India—and tens of millions more worldwide—was found to enroll some users for UPI without their knowledge. UPI or Unified Payments Interface is India’s mobile-based instant payments system.
It began with a seemingly routine update. But after the rollout, a number of users noticed that Truecaller sent messages with garbled text from their phones to an unknown number. Following this, ICICI Bank—Truecaller’s partner bank—sent messages notifying users saying that their registration for UPI had begun.
Truecaller blamed the incident on a bug. A spokesperson told The Ken only its Android users were affected. The spokesperson declined to disclose how many. The company also assured that the bug only enrolled users—no transactions had been made. Nonetheless, it’s worrying just how easily it could have led to a transaction.
Following the text from ICICI, the Truecaller app correctly identified users’ bank accounts too. It could do this by simply using the message-access it already has to find which accounts were linked to the number, said Ramanathan RV, founder and CTO of Juspay, the company that made the BHIM app. In one case, Dheeraj Kumar—one of the users affected—was nudged by Truecaller to link his HDFC Bank account to the company’s app. Kumar uses HDFC Bank for making payments using BHIM, the government-backed mobile payments app.
How do you explain the SMS? There is no other app in that list that has permissions to send a SMS. And it's with an institution you've partnered with! Also, I can't deregister, because according to your own app, I'm not registered! pic.twitter.com/PzuyN8VxHs
— Dheeraj Kumar (@codepodu) July 30, 2019
Aashish Bansal, another user, was prompted to link his Indian Overseas Bank account to the app. While neither Kumar nor Bansal suffered financial loss, the issue highlights the gaps in India’s regulatory framework, where companies operate in the absence of a data protection law, with users often becoming collateral damage.
There aren't any third party apps on this phone except for Truecaller. I log on to Truecaller and I find that a UPI ID "with the bank's details" had been created for my account mapped to this phone number. I quickly reset Truecaller to unlink the UPI from this app. pic.twitter.com/n5G4WR28jX
— Aashish Bansal (@Unbelted) July 30, 2019
Truecaller seemingly has everything going for it in India—100 million daily active users and that it’s the fourth most downloaded app, according to the Mary Meeker Internet Trends Report 2018. It’s an app with near-limitless permissions to user data from Google’s Play Store.