Truecaller gets into the eSIM business to diversify its revenue streams

⚠️ THREAT ALERT: Truecaller gets into the eSIM business to diversify its revenue streams

The transition of Truecaller into the eSIM provisioning ecosystem introduces a new attack surface that can be exploited via malicious OTA (over‑the‑air) profile delivery. Threat actors could inject crafted XML or protobuf payloads into the carrier’s SM‑DP (Subscription Management Data Preparation) API, leveraging known vulnerabilities such as CVE‑2022‑22965 (Spring 4‑RCE) or CVE‑2023‑2860 (eSIM profile parser buffer overflow) to achieve remote code execution on the provisioning server or on the end‑user’s device during profile installation. Additionally, the use of QR‑code based onboarding flows creates a vector for QR‑code injection attacks, where attackers supply a malicious URL that triggers a privileged eSIM activation request, potentially hijacking the subscriber identity module and enabling IMSI‑catcher style surveillance or premium‑rate billing.

From a supply‑chain perspective, the integration of Truecaller’s existing SDKs with carrier‑grade eSIM management platforms may inadvertently reuse legacy cryptographic libraries that are vulnerable to side‑channel attacks (e.g., CVE‑2021‑33742 affecting RSA‑OAEP implementations). If the SDK continues to rely on hard‑coded API keys or insecure TLS configurations (TLS 1.0/1.1, deficient certificate pinning), man‑in‑the‑middle adversaries could intercept OTA profile payloads, alter subscription attributes, and re‑sign the profiles using stolen keys. Moreover, the eSIM lifecycle management APIs often expose SOAP/REST endpoints that, when mis‑configured, are susceptible to XML External Entity (XXE) injection (CVE‑2022‑31197) and insecure deserialization, allowing attackers to read arbitrary files on the provisioning backend or execute arbitrary commands.

Mitigation requires a defense‑in‑depth approach: carriers and Truecaller must enforce strict input validation on all OTA profile descriptors, employing schema‑based whitelisting and binary‑level sanity checks to reject malformed XML/protobuf structures. All eSIM provisioning services should be migrated to frameworks patched for the aforementioned CVEs, with mandatory use of TLS 1.3, mutual authentication via client certificates, and HSM‑backed key management to protect signing keys. Endpoint hardening must include disabling legacy cipher suites, implementing rate‑limiting on profile activation requests, and deploying runtime application self‑protection (RASP) to detect anomalous deserialization attempts. Finally, continuous security assessments—such as regular penetration testing of the QR‑code onboarding flow and supply‑chain code signing audits—are essential to prevent privilege escalation and preserve the integrity of subscriber identities in the emerging eSIM market.

🛡️ CRITICAL SECURITY SCAN REQUIRED

Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.

>> LAUNCH ZERO-DAY THREAT SCANNER <<

Source Intelligence: Full Technical Breakdown