Call Blocking Apps Expose 3 Billion Numbers
3 billion users now including celebrities and politicians have their phone numbers exposed due to a software feature in call blocking apps.
Three popular call blocking apps Sync.Me, CM Security and Truecaller have been exposed that they upload the contact details of about 3 billion users in publicly searchable databases. Affected users are those who have never used the app as well, due to the fact that their details are shared in the database lists as well.
The news were reported by journalists from the Hong Kong Free Press. The data contains the numbers of the Hong Kong’s Chief Executive Leung Chun-ying and the Chief Secretary for Administration Carrier Lam Cheng Yuet-ngor. Other listed staff include officials, legislators and other celebrities from the media, business, politics, entertainment sectors, and ordinary citizens.
The three smartphone apps include:
- CM Security – This is a product of the US-listed company Cheetah Mobile. The main holding company is the Chinese software company Kingsoft Corporation Limited
- Truecaller – This is a product of the Swedish information technology company True Software Scandinavia AB
- Sync.Me – This is a product of the Israeli information technology company Sync.Me.LTD.
The reverse lookup feature of the apps allows the users to trace the name of the number holder. This means that when a telephone number is placed in the app it will search through the database to trace to source of the holder. Each application displays the name of the telephone number owner even when the person is not registered and has not authorized the application to make their personal information identifiable. The Sync.ME search engine also merges the mobile phone numbers with Facebook profiles which makes it even easier to identify individual users with a simple query.
Combined search results have been used to create lists of high-ranking officials and celebrities which now have their personal phone numbers exposed to the public. The data do not appear to be harvested in a fixed format which suggests that they have been downloaded over time as the users have shared the data with the applications.
Truecaller has in possession a database of over 3 billion telephone numbers, Sync.ME has collected data of over one billion contacts and their social network profiles (Google, Facebook and LinkedIn). CM Security has collected the phone address information from WhatsCall which is another application that is developed by Cheetah Mobile.
The users have transmitted the information via the privacy privileges. The Privacy Policy and End-User License agreements of the various call blocking apps allow them to read the data on the user devices and uploaded to the remote company servers.
An excerpt of Sync.ME’s policy reveals the following:
If you chose to activate the “Sync.ME search” feature, you would be asked to
explicitly warrant that you have all necessary permissions to share your contacts’
information, and that you have no knowledge of any objection, on the behalf of
any of your respected contacts, to include their names and phone numbers in the
phonebook directory, which is available for other registered users. Please be sure
not to share any other person details without his or her prior consent, and that the
information you share is accurate and up-to-date. For security reasons, we will
also filter out numbers of your phonebook which do not seem to correlate to an
actual person. You may at any time opt-out of this feature by deactivating it, in
which case we will de-list your contacts (unless their details were provided by
other sources).
Both the CM Security and WhatsCall apps are made by Cheetah Mobile. The company’s privacy policy and end-user agreement reads the following:
For providing the service such as calling, we may read your contact information stored in your device to get contact
for you or we may read your GPS information to get the contact. Your phone’s address book stored in your device may
be sent to WhatsCall’s server in an encrypted manner. Your phone address book will be merged into others’ phone
address books and all of these data then ca be transferred into a database. WhatsCall will intelligently and automatically
analyse the phone number database in order to provide strange number identification, business phone number
identification and other features. WhatsCall warrants and guarantees that we will not share any user’s phone address
book to any third party without any legal reason.
Among the exposed phone numbers are those of David Cameron and the leader of the Labour party of the UK Jeremy Corbin.