TrueCaller Bug – Automatically Creating UPI Accounts Without Users Consent

Bug News / Stories Vulnerabilities

TrueCaller UPI Bug In a nightmare for thousands of TrueCaller users in India, a so-called bug automatically created their Unified Payments Interface (UPI) accounts with the ICICI Bank without their consent, triggering panic and hacking fears. The affected users received an SMS from ICICI Bank, saying – “Your registration for UPI app has started. If it was not you, report now to your bank. Do not share card details/OTP/CVV with anyone to avoid financial loss”.

Several people on TrueCaller’s Google Play Store page have also highlighted the same problem in the review section, fearing that the app is accessing personal data and banking information.

“There was an issue in the app observed today. We have been updated that last night’s migration had resulted in a bug in the workflow. We understand that it has being fixed and till then user on-boarding has been stopped in this app. NPCI ensures to take action if found non compliant.” – Dilip Asbe, MD & CEO, NPCI.

A payments feature had been added to the app two years ago in partnership with ICICI Bank. The feature is called Truecaller Pay.

Users running the latest version of Truecaller on Android (10.41.6) are currently victims of this issue. What’s surprising is that people who don’t have an ICICI account also got the message.

“We have discovered a bug in the latest update of TrueCaller that affected the payments feature, which automatically triggered a registration post updating to the version. This was a bug and we have discontinued this version of the app so no other users will be affected.” – TrueCaller Official.

TrueCaller co-founders apologise for the “bug in the code” of the update. He writes, “We all at TrueCaller feel bad this even happened in the first place”. He says that the update was rolled out to only one percent of TrueCaller users, of which the UPI bug affected only 0.12 percent users in India.

TrueCaller Bug Bypasses Steps in UPI Registration:
The “bug” that TrueCaller is referring to is bypassing steps in creating an UPI ID.
Commonly most of the payments app follows below steps in UPI registration process –

Step-1: Select the bank account for which you want to create UPI ID.
Step-2: Validate your mobile number which is already link to your selected bank account.
Step-3: Upon validation, the app sends an SMS to verify mobile number with the bank.
Step-4: On successful verification, your UPI ID get created.

In TrueCaller’s case, it already has your mobile number, validated, and the bug is allowing the app to bypass first 3 steps: Selecting your bank account, Validate your mobile number and Sending SMS for verification. What is not clear here is, what is the process through which a user’s bank accounts is being identified, and then selected?

Story Updates:
― NPCI had stopped on-boarding new TrueCaller users on the UPI platform.
― TrueCaller apologises users for the UPI bug.
― TrueCaller has since issued an app update to stop this automated process that violates user consent.

TrueCaller is not new to controversy and privacy violations. The very structure of the base service rests on granting itself the permission to collect and share personal information about you that is not publicly available, even if you never signed up for the service and never agreed to their Terms of Service and Privacy Policy. The app collects information from multiple users, and then shares that information with third parties, without consent from or even notice to users to whom that information pertains. Consent is taken from users that provide their address book to TrueCaller, and not from users to whom that information pertains.