wordpress blog stats
Connect with us

Hi, what are you looking for?

, ,

Truecaller ‘bug’ automatically signs up users for UPI, bypassing consent

Update on August 8:  NPCI said that it has stopped on boarding new Truecaller users on the UPI Platform and an investigation into the matter is currently underway,  in response (see below) to a letter sent by the Internet Freedom Foundation (IFF).

Earlier on August 6: Truecaller CEO Alan Mamedi said today that less than 0.12% of total monthly active users in India were affected by the “bug”, nearly after a week that the Truecaller app started registering users for an UPI ID without their consent. In a statement, the company also said that this “mishap didn’t mean any sort of loss for the affected user, neither in in terms of user’s data nor anything financial, . The company explained that the particular API which caused the problem, was supposed to be initiated for only existing Truecaller Pay users who consented to sign up for it, but it triggered for a portion of users who were not already registered for payments. It added that this led to a “credential refresh which would eventually cause the UPI registration to be triggered inadvertently”.

Earlier on July 31: NPCI told MediaNama that the issue was an “enrolling mistake” by the Truecaller app without “customer consent”. It said that the customer can’t do any UPI [transaction] despite this issue. “For onboarding to UPI the customer has to still enter 2FA (issuer OTP and debit card), and set UPI pin. The workflow mistake is limited to enrolling which will not have any impact on any customer account whatsoever,” it added.

Advertisement. Scroll to continue reading.

Earlier on July 30: This is disturbing: Truecaller created UPI IDs for several people without their knowledge or consent. The app’s latest version (10.41.6) automatically started the registration process for creating an UPI ID for multiple users. One Twitter user, @Codepodu, explained that his Truecaller app sent an encrypted SMS from his phone to an unknown number, following which ICICI Bank sent an SMS that read, “Your registration for UPI app has started”. Note that there are banks which work with UPI providers to enable the registration process, and you can have a UPI ID with a bank that you don’t hold an account with. UPI essentially unbundles the account ID from the bank with which you have an account. You could have an HDFC bank account and a UPI ID on PhonePe with Yes Bank.

On being contacted by MediaNama, Truecaller first said that they had “discovered a bug” that affected the payments feature. Following that, they issued the following statement:

“The bug only affected a small fraction of Truecaller’s Android users in India. The rollout of the update was halted immediately after user’s reported the issue. Any users who have been registered for UPI services will automatically be deregistered at the back end. An updated version with the fix will be rolled out to all users soon.”

NPCI told MediaNama that it was aware of the issue with Truecaller and that it’ll take action against the app is found non-compliant:

“There was an issue in the app [Truecaller] observed today. We have been updated that last night’s migration had resulted in a bug in the workflow. We understand that it [is] being fixed and till then user on-boarding has been stopped in this app. NPCI ensures to take action if found non compliant”.


Advertisement. Scroll to continue reading.

Truecaller ‘bug’ bypasses 2 steps in UPI registration

The “bug” that Truecaller is referring to is overriding two steps in creating an UPI ID. I tried registering for an UPI ID using PhonePe and had to follow the following steps:

Step 1. I was asked to first select the bank account for which I wanted to create my UPI ID.

Step 2. Following that, the app displayed a ‘Validate Mobile Number’ message which asked for my consent if I wanted to use that particular phone number

Step 3. Upon Validation, the app opened up the Messages app and requested that I send an SMS to register my UPI ID.

Advertisement. Scroll to continue reading.

Step 4. After sending the SMS, the app had this message

Step 5. Following verification, my UPI ID was created.

In Truecaller’s case, it already has your mobile number, validated, and the bug is allowing the app to bypass two of the first three steps: Selecting your bank account, and manually sending the UPI SMS. What is not clear here is, what is the process through which a user’s bank accounts is being identified, and then selected?

Several people on Truecaller’s Google Play page have also highlighted the same problem in the review section, fearing that the app is accessing personal data and banking information.

Advertisement. Scroll to continue reading.


[embeddoc url=”https://www.medianama.com/wp-content/uploads/ToIFF-Truecaller-Concerns_6aug19.pdf” download=”all”]

Updated on August 8, 2019 (10:17 am) with NPCI’s response (above). Originally published on July 30, 2019.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ