Critical PII exposure in “Who – Caller ID, Spam Block” app

Quokka disclosed a serious vulnerability (CVE-2024-40096) affecting the Android mobile app “Who - Caller ID, Spam Block” (version 15.0) that poses a significant risk to users by exposing personally identifiable information (PII) to the system log.

By

On March 7th, 2024, Joe Cho, Senior Technical Consultant at Quokka, disclosed a serious vulnerability (CVE-2024-40096) affecting the Android mobile app “Who – Caller ID, Spam Block” (version 15.0), identified by the package name “com.cascadialabs.who”. This vulnerability, discovered by Quokka, poses a significant risk to users by exposing personally identifiable information (PII) to the system log. 

Overview of the app vulnerability 

The “Who – Caller ID, Spam Block” app, with over 1 million downloads on the Google Play Store, is designed to help users manage calls and messages by filtering out telemarketers, robocalls, and unwanted interruptions. However, its current version (15.0) has a serious security flaw, commonly referred to as a “Leaky App.” Multiple vulnerabilities were identified, and the app exposed unsanitized PII, such as call logs (14.1) and phone numbers of outgoing calls, into the Android system log (15.0). This exposure makes sensitive data accessible and potentially exploited by bad actors.

How does something like this work? 

The “com.cascadialabs.who” app requests read access to the call log by declaring the “android.permission.READ_CALL_LOG” permission in its application manifest file. As a shared resource, the system log can be accessed by certain co-located processes, potentially exposing sensitive information. While the call logs to the system log issue have been fixed in the latest 15.0 version, the app still exposes unsanitized phone numbers through the same logs when a call session is initiated. 

android.permission.READ_CALL_LOG

Why the data exposure is dangerous

Mobile apps are trusted to manage and protect our most sensitive information—or so we thought. However, when an app fails to do so, the consequences can be severe. Apps that leak data or can collude with other apps pose significant risks. Here’s what it means for those affected by risky apps:

  • Privacy violation: These privacy breaches occur when apps fail to properly secure user data, exposing it to potential access by other apps or malicious actors. Whether intentional or not, these lapses by app developers can lead to massive privacy violations on mobile devices, compromising the personal information of countless users.
  • Security risks: The leaked information becomes accessible to other apps and processes on the device, including potentially malicious ones. “Colluding Apps” can exploit this data to track users, steal identities, or engage in targeted attacks, significantly increasing the risk of fraud or other malicious activities. 
  • Regulatory compliance: Exposing PII can put the app developers at risk of violating privacy regulations such as GDPR or CCPA. Non-compliance with these laws can result in hefty fines and damage to the company’s reputation.

Actionable Steps to Enhance Mobile Security

For users: It is strongly recommended that users uninstall the “Who – Caller ID, Spam Block” app until a patched version is released. They should also review any other apps that have access to system logs for potential misuse of exposed data. It’s recommended that users who use personal devices for work purposes (BYOD) understand the risks of granting apps access to permissions, which can lead to call logs and phone numbers being easily accessible to bad actors. 

For organizations: BYOD or mobile device usage in the workplace requires stringent mobile device and app security policies to prevent risky apps from accessing sensitive information. Organizations can proactively identify and make risk-based decisions by leveraging solutions that can analyze and assess apps for security and privacy issues—such as improper handling of PII. Implementing policies that enforce app security standards ensures that only vetted and secure apps are used on approved mobile devices for the workplace. 

For developers: We urge developers to adopt mobile application testing practices. Automated security testing and continuous monitoring are crucial to protecting sensitive information, maintaining user trust, and complying with privacy regulations. Integrating secure coding practices and security assessments into the app’s development lifecycle can prevent this type of exposure and security issues. 

Here are some quick tips to protect sensitive user information:

  • Be vigilant about permissions granted to apps. 
  • Regularly review app settings to ensure they align with security needs.
  • Consider using security solutions that can alert security teams of these security and privacy vulnerabilities. 
  • Stay aware of the potential security implications of apps installed on a device, as they massively increase the mobile attack surface.
  • Safeguard both personal and work-related information by practicing good app security habits.

Discovering vulnerabilities like this underscores the critical need for stringent mobile security practices. As our reliance on mobile devices grows, so does the importance of protecting the sensitive information they carry. Whether you’re a user, developer, or organization, taking proactive steps to secure data and maintain privacy is no longer optional—it’s essential.

Quokka offers two powerful solutions to meet the needs of both developers and organizations: 

  • Q-mast is an all-in-one SAST/DAST/IAST solution that secures your mobile apps by scanning the compiled version—just like what you publish to the store. This approach ensures comprehensive coverage, including your custom and third-party code bundled with your app, without needing the source code.
  • Q-scout provides actionable insights into the managed and personal apps installed on mobile devices accessing enterprise resources and data. By analyzing malicious behaviors, security vulnerabilities, and privacy issues, enterprise security and IT teams can receive alerts and enforce proactive security measures based on risk-based policies they set for their organization.

Powered by the industry’s first Contextual Mobile Security Intelligence engine, delivering actionable insights to proactively protect against malicious apps and zero-day exploits. Ready to see how these tools can enhance your mobile security? Request a demo today and discover how Quokka can help safeguard your business.

Related Content