“Delete Truecaller.”

These two words threatened the very existence of Truecaller, after a user’s chance discovery went viral, last week. The app, which actively filters spam calls and messages for more than 100 million smartphone users in India—and tens of millions more worldwide—was found to enroll some users for UPI without their knowledge. UPI or Unified Payments Interface is India’s mobile-based instant payments system.

It began with a seemingly routine update. But after the rollout, a number of users noticed that Truecaller sent messages with garbled text from their phones to an unknown number.