views
Among all the potential features and services that can be hacked, a phone's calling restrictions is possibly the most valuable. That is exactly what is being made possible by an app called 'Call India - IntCall' on the Google Play Store, as discovered by GIS Consulting. The vulnerability disclosed in the report states that the app does not require user permissions to register itself on a phone, and can spoof phone calls for use cases such as criminal activities and extortion.
According to an IANS report, the 'Call India - IntCall' app can register itself once installed on a smartphone, by remotely authorising a random phone number stored in its database, and verifying an OTP that does not require any authentic user verification process. However, what makes it very intriguing is that, despite its disturbing and seemingly shady bearings, no general user would suspect that the app may have a potentially severe security threat embedded within itself.
For one, a look at its listing on the Google Play Store reveals that the app was last updated on December 22, 2014. This is the first reason for not trusting an app, especially if it has received no updates in over four years. The app is very evidently active in operation, though — the reviews section reflects both spam and genuine reviews from multiple users. Given the severe implications, it is a bit surprising that most of the complaints against the app are that it offers only one minute of free international calling. This confirms that an overwhelming majority of users of the 'Call India - IntCall' app, developed by TeleStar, are unaware of the security threats that it poses.
The app's publisher, TeleStar, is a company that runs multiple VoIP (voice over internet protocol) apps and services across the world. On its homepage, among its advertised features, are three rather concerning elements — voice recording, voice changing and "setting background sound to the conversation." This happens to be a big factor that threatens user privacy, for if taken over remotely, a user with malicious intent can morph voice and add fake background ambiance to a call, to carry out tasks of extortion and other threats.
While News18 could not independently verify the claims made by GIS Consulting, there appears to be significant credibility to them, if the pattern of publicly accessible user reviews on the Play Store are anything to go by. Multiple users, although fewer in proportion of 5-star reviews with spam text, have complained that their own phone numbers have been taken over. On April 21, Pankaj Hurmade wrote on the Play Store, "This app not secure, any user's mobile number from calling. [sic]" A similar but more concerning review, left by Simran Kaur and unanswered by the developers, states, "Someone is using my phone number as his ID. I can't use my account, (please) do something."
And yet, despite the open advertisement of voice morphing and background changing on the official website, as well as multiple public reviews pointing at threats that can potentially lead to criminal involvement, 'Call India - IntCall' presently has over 1 million downloads and a rating of over 4.2 on the Google Play Store. While Google has been updating its Play Store policies and banning multiple apps that are suspicious or spread malware, it is still not a fail-proof platform, and security threats exist in this arena despite the rating standards that many users trust before downloading an app.
News18 has reached out to TeleStar for its comments on the matter, but the company has not responded at the time of publishing, with an email questionnaire as well as other requests for comments remaining unanswered. Attempts to contact GIS Consulting has also remained unsuccessful at the time of publishing.
Comments
0 comment