CVE-2024-53931

CVE-2024-53931 affects the com.glitter.caller.screen application, also known as iCaller, Caller Theme & Dialer, for Android in versions through 1.1. The vulnerability resides in the com.glitter.caller.screen.DialerActivity component, which improperly handles intents, allowing any other application on the device to initiate phone calls without requiring permissions or user interaction by sending a crafted intent. This flaw is rated with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-732 (Incorrect Permission Assignment for Critical Resource) and CWE-922.

Any malicious application installed on the same Android device can exploit this vulnerability without privileges or user consent, enabling remote attackers to leverage it via a network-accessible vector such as a malicious app downloaded from untrusted sources. Successful exploitation allows the attacker to place arbitrary phone calls silently, potentially leading to high confidentiality and integrity impacts, such as incurring unauthorized charges through premium-rate calls or disrupting user communications.

Mitigation details and further analysis, including a proof-of-concept, are available in the GitHub repository at https://github.com/actuator/com.glitter.caller.screen/blob/main/CVE-2024-53931. Users should update the application beyond version 1.1 if a patch is available or uninstall it to prevent exploitation.