These two words threatened the very existence of Truecaller, after a user’s chance discovery went viral, last week. The app, which actively filters spam calls and messages for more than 100 million smartphone users in India—and tens of millions more worldwide—was found to enroll some users for UPI without their knowledge. UPI or Unified Payments Interface is India’s mobile-based instant payments system.
It began with a seemingly routine update. But after the rollout, a number of users noticed that Truecaller sent messages with garbled text from their phones to an unknown number. Following this, ICICI Bank—Truecaller’s partner bank—sent messages notifying users saying that their registration for UPI had begun.
Truecaller blamed the incident on a bug. A spokesperson told The Ken only its Android users were affected. The spokesperson declined to disclose how many. The company also assured that the bug only enrolled users—no transactions had been made. Nonetheless, it’s worrying just how easily it could have led to a transaction.
Following the text from ICICI, the Truecaller app correctly identified users’ bank accounts too. It could do this by simply using the message-access it already has to find which accounts were linked to the number, said Ramanathan RV, founder and CTO of Juspay, the company that made the BHIM app. In one case, Dheeraj Kumar—one of the users affected—was nudged by Truecaller to link his HDFC Bank account to the company’s app. Kumar uses HDFC Bank for making payments using BHIM, the government-backed mobile payments app.
How do you explain the SMS? There is no other app in that list that has permissions to send a SMS. And it’s with an institution you’ve partnered with! Also, I can’t deregister, because according to your own app, I’m not registered! pic.twitter.com/PzuyN8VxHs
— Dheeraj Kumar (@codepodu) July 30, 2019
Aashish Bansal, another user, was prompted to link his Indian Overseas Bank account to the app. While neither Kumar nor Bansal suffered financial loss, the issue highlights the gaps in India’s regulatory framework, where companies operate in the absence of a data protection law, with users often becoming collateral damage.
Truecaller seemingly has everything going for it in India—100 million daily active users and that it’s the fourth most downloaded app, according to the Mary Meeker Internet Trends Report 2018. It’s an app with near-limitless permissions to user data from Google’s Play Store. All of this should have the company sitting pretty, but it hasn’t quite lived up to its early potential.
Truecaller has, over the years, pivoted from one business model to another in its quest for profitability. One of its primary revenue streams was advertising, but that has proven less than sustainable.
This, despite Truecaller diluting its value proposition to attract ad revenues. One way it makes money is by allowing advertisers to call users—it whitelists those numbers so they show up as names users would be inclined to take calls from. Sometimes even celebrity names. In one campaign, it claimed 50% of users picked up such calls.
It has also added an ad-free premium subscription service. But despite its best efforts, it remains decidedly loss-making—in 2018, revenues stood at $22.2 million with losses of $6 million, the company said. That compares to $11.2 million in sales and a $6.2 million loss in 2017, according to regulatory filings from Sweden.
But as India’s digital payments space has taken off in recent years, Truecaller finds itself enamoured by India’s $100 billion digital credit opportunity. This latest incident is but a symptom of Truecaller’s search for its ultimate identity.
A foreign phenomenon
Truecaller is not the kind of company you’d expect to find at the centre of a fintech blunder in India. For one, the business isn’t Indian.
The company was founded in the summer of 2009 by Swedish duo Alan Mamedi and Nami Zarringhalam. Their rapid rise is a validation of the freedom of opportunity in Sweden since both had challenging upbringings. Mamedi was born in a refugee camp— his Kurdish parents moved a month before his birth—while Zarringhalam’s parents fled Tehran, Iran, where he had been born.
Truecaller has been around so long that it actually first launched on BlackBerry—the once-ubiquitous devices with physical keyboards—before rolling out months later to iOS and Android.
The concept was straightforward. Truecaller stops spam calls, something that plagued people back when smartphones first began to take off, by letting you know who is calling. Truecaller’s twist is that it allows users to tag unwanted callers—helping to publicly identify spammers. Once a user has identified a caller—perhaps it is a bank or a loans company—all other Truecaller users see that ID when receiving a call.
The service pre-dates the global app phenomenon, and as smartphone adoption increased and apps became common, Truecaller’s popularity grew. It reached five million registered users by September 2012, and 10 million by January 2013 thanks to network effects.
Fours years later, as iOS and Android became dominant platforms, Truecaller clocked 250 million registered users. Today it boasts 140 million active users—a more accurate metric than merely ‘registered users’—of which 100 million are in India.
Its growth attracted investment and top names. The company has raised $98.6 million, according to data from Crunchbase, from firms like Sequoia, Kleiner Perkins and Atomico, the Europe-based fund from Skype co-founder Niklas Zennström.
In search of a true calling
But despite explosive growth, a service that thrives in today’s mobile app economy, and lots of money from top-tier VCs, Truecaller has struggled to lock down a revenue model to match. It currently makes money through a combination of advertising, an ad-free premium service—for which it has 500,000 subscribers paying at least $0.99—and an ambitious play to build an ecosystem.
The latter is a new addition, coming after Truecaller began to focus on the Indian market. That crystallised in 2017 when the company acquired India-based payments startup Chillr. The plan was to offer payments and financial services to its massive audience in the country—its largest market worldwide.
The India story was of critical importance for Truecaller since it had pivoted and gone through startup growth pains before identifying this huge emerging market opportunity.
At its peak in 2015, Truecaller was the next big thing. Facebook released its own caller ID app, validating and challenging Truecaller in the same breath. TechCrunch reported in June 2015 that the company was in talks with investors to raise $100 million at a valuation of $1 billion, a deal that would see Truecaller join the unicorn club.
At that point, Truecaller had raised $80 million, so the capital increase would have been significant. But the round never materialised. Instead, Truecaller closed the year with layoffs and killed off one of its auxiliary apps a few months later. The funding round had also died.
Speaking to TechCrunch in March 2016, Mamedi said Truecaller didn’t need the money as he anticipated it would be cash-flow positive by the end of the year. The trigger, as he explained, would be the introduction of “targeted advertising.”
Truecaller’s advertising ambitions, which Mamedi once hung his hopes on, haven’t quite worked out. Of the nearly $2 billion that brands spend on digital advertising, nearly 80% of a brand’s budget is spent on Google and Facebook properties. The rest is spent on content apps like Hotstar and Tiktok, with less than 2% spent on Truecaller, estimate digital agencies.
“Truecaller has about Rs 250 crore ($36 million) of available inventory in a year. The advertising market is pegged to be at Rs 14,000 crore ($2 billion) in 2019. So, even if Truecaller does the impossible task of selling out all of its inventory for all 365 days (which is highly unlikely), still they will not be able to have a share of 2% of the total ad spends,” says Sahil Shah. He is the executive vice president of operations and media at WATConsult, a digital marketing agency owned by Dentsu Aegis Network. “My best guess is that they will be around 0.75-0.95% of a brand’s spend,” Shah adds.
The payments priority
Fast forward to 2019, however, and Truecaller hasn’t managed to break-even.
The product, too, has evolved significantly. Gone is the utility app focus—which provides a great experience but is hard to monetise. Today’s Truecaller aspires to be a mobile platform. It offers free chat messages and voice calling between users—much like WhatsApp. In India, it is also aggressively pushing payments, which is another feature Facebook is preparing to add to WhatsApp.
But it’s the effort to push its fintech services—converting low-revenue utility app users into platform app users that generate significant revenue—that seems to have triggered last month’s bug.
At the height of the 2017 payments frenzy in India, Truecaller jumped into payments much like its fellow overseas tech firms such as Google and Facebook.
As UPI volumes soared, the fight for number one was hotly contested between locally grown wallet companies Paytm and PhonePe, government-backed BHIM and Google Pay. Truecaller was nowhere on the payments scene. And now, 28 months since its launch, it has an insignificant presence. Truecaller has about 10 million bank accounts linked, said the company earlier this year. Competitor PhonePe—which is focused solely on payments—has over 100 million users, meanwhile.
At the same time, younger companies are shaking trees, too. Merchant-focused payments app BharatPe, which is barely a year old, is powering close to 10% of UPI merchant volumes. It does about 9 million transactions a month.
Truecaller’s enviable 100 million active user base, however, hasn’t been able to supercharge its payments dream. What it needed was a growth hack. A hack that could have maybe connected all its 100 million users to, say, their bank accounts.
Bug turns bugbear
When it comes to Truecaller, one privacy breach swallow does not a summer make. Truecaller’s strong desire to make its payments strategy succeed has seen it run with other unscrupulous tactics. One talking point that arose from public scrutiny of the bug is exactly what actions and activities Truecaller’s app handles in the background without the knowledge of users.
Abhay Rana, a software developer at payment gateway Razorpay, found that Truecaller’s app was embedded with numerous data-hungry software development kits (SDKs). SDKs allow one piece of software to talk to another.
Now, SDKs on their own are no indicator of ethicality. On average, an app has as many as 18.5 SDKs, according to a SafeDK report. Most apps use advertising and analytics SDKs as standard.
The SDKs Truecaller used, however, granted a credit scoring service MessAI and expense management service Walnut access to user data. The former could trawl messages to profile users. Walnut—which was acquired by fintech lender Capital Float—enjoyed similar access.
This approach could help Truecaller, which has ambitions to lend, identify which users to target for lending. Rana also checked other payment apps, such as PhonePe and Cred, for the SDKs they used. These didn’t include credit scoring SDKs, he said.
While lending apps like MoneyTap also have credit scoring SDKs, users expressly download them for the purpose of taking loans. Given its focus on caller ID, few people downloading Truecaller would expect their messages to be trawled to assess their creditworthiness.
Sony Joy, head of payments at Truecaller and the former CEO of Chillr, defended the company’s practices. Joy claims that credit scoring—which is part of a pilot—happens only for a specific set of users who wish to apply for credit and explicitly grant permission to assess transactional messages. He added that the app asks for consent even though users might have already given messaging permission earlier.
Joy’s claims appear to be at odds with Truecaller’s own FAQ detailing its credit services. It says Truecaller does not show all of its users this option. “If you are eligible for the offer, it will be seen on the landing page under the banking tab of Truecaller app,” it states. This indicates that Truecaller already identifies which users are eligible for its lending services.
Hours after Rana’s findings were published on Twitter, Walnut founder Amit Bhor said the SDK for Walnut found in Truecaller had been discontinued altogether. It also emerged, after Rana’s finding that Truecaller acquired MessAI in April 2019.
Too close to the sun
Truecaller is reflective of the era in which it grew. Back when Android was a developer haven. App developers flocked to Google’s mobile operating system as it allowed apps to use user data freely and build products with few constraints. As a result, Truecaller has access to call logs, permission to read and create messages, location, and contacts. That’s in stark contrast to Apple’s iOS operating system, which forbids apps built around users’ message inboxes or call logs.
It’s this unbridled access to data that also saw Truecaller almost breach the inviolable principle of digital payments in India. Just as Airtel Payments Bank and Paytm Payments Bank showed how electronic KYC (know-your-customer) processes can be used to sign unwitting people up for bank accounts, Truecaller’s UPI bug shows how apps could be similarly misused.
Truecaller, with its bug, came close to breaching the all-important fail-safe of Indian digital payments—two-factor authentication (2FA). The combination of the three-digit Card Verification Value (CVV number) on the back of a debit/credit card and a one-time password sent via messaging is a mechanism the central bank, the Reserve Bank of India, holds on to dearly. Much to the unadmitted annoyance of digital companies who see the two steps as a point of friction.
When UPI burst onto the scene, it found instant acceptance, because even with 2FA, it practically worked out to be a single-step process. That’s because the first factor is the phone number and device itself, which didn’t need authentication every time one made a payment. But as Truecaller showed, this can also be a vulnerability.
Normally, any UPI app would have access to the device details only when a user installs the app and starts the registration process, but not Truecaller. It had the device details by virtue of already having message permissions as a caller ID app. This let it auto-register. As much as the company would like to call this as an anomaly, it was also something of an eventuality. If not at the hands of Truecaller, then perhaps through some other app with similar fintech ambitions.
Facebook has continued to march on despite significant privacy blunders and this incident too may blow over for Truecaller, like many tech outrages of the past. But there are some worrying signs. Like the upcoming data protection bill, which is expected to be tabled in the parliament in the ongoing budget session, and the bruising competition among fintech and non-fintech companies to lend.
Even though Truecaller in May, appointed Sandeep Patil, a former Flipkart director as its Indian managing director, its focus on the India market is complicated because the company remains anchored in Sweden (where Mamadi, Zarringhalam and its heads of engineering and product are based). Even Truecaller’s board has just one Indian representative—Sequoia’s Shailesh Lakhani. The Chillr acquisition built out Truecaller’s on-the-ground presence in India, but the incidents of the past week may give it cause to rethink its approach. WhatsApp is poised to explode on to India’s fintech landscape, where will that leave the also-rans?
Clarification: The article was updated to reflect the correct number of transactions BharatPe does in a month. It has also been edited to highlight that message-access is enough for Truecaller to link user bank accounts.