CVE-2023-42469 in com.full.dialer.top.secure.encrypted
Summary
by MITRE • 09/13/2023
The com.full.dialer.top.secure.encrypted application through 1.0.1 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.full.dialer.top.secure.encrypted.activities.DialerActivity component.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/02/2026
This vulnerability exists within the com.full.dialer.top.secure.encrypted Android application version 1.0.1 and earlier, representing a critical security flaw that undermines user privacy and device integrity. The vulnerability stems from improper intent filtering and component exposure within the application's manifest file, specifically targeting the DialerActivity component that handles phone call initiation. Attackers can exploit this weakness by crafting malicious intents that bypass normal user consent mechanisms, enabling unauthorized phone call placement without any required permissions. This represents a fundamental breakdown in Android's permission model and application sandboxing principles.
The technical implementation of this vulnerability leverages Android's intent system, where the DialerActivity component is exported without proper intent filtering or permission checks. This allows any application installed on the device to send intents directly to this component, effectively granting unrestricted access to the device's telephony functions. The flaw operates at the application level rather than requiring system-level privileges, making it particularly dangerous as it can be exploited by malicious apps that have already gained installation rights on the device. This type of vulnerability is classified as a privilege escalation issue where a component that should be restricted becomes globally accessible.
The operational impact of this vulnerability is severe and multifaceted, potentially enabling financial fraud, privacy violations, and device compromise. An attacker could place premium rate calls, initiate international charges, or trigger automated call sequences that could result in significant financial loss for the victim. The vulnerability also poses risks to personal privacy as it allows unauthorized access to communication capabilities, potentially enabling surveillance or social engineering attacks. The lack of user interaction requirement makes detection particularly challenging, as users would have no awareness of unauthorized calls being placed. This vulnerability directly maps to CWE-284 Access Control Issues and aligns with ATT&CK technique T1059 Command and Scripting Interpreter, where malicious code executes system-level commands through legitimate interfaces.
Mitigation strategies must address both immediate remediation and long-term architectural improvements to prevent similar vulnerabilities. The primary fix involves removing the exported attribute from the DialerActivity component in the AndroidManifest.xml file or implementing proper intent filtering with explicit permission checks. Organizations should also implement runtime monitoring to detect unauthorized intent usage patterns and establish application security testing protocols that include manifest review and component exposure analysis. The vulnerability highlights the importance of following secure coding practices such as the principle of least privilege and proper intent validation, which are fundamental requirements in secure mobile application development frameworks. Additionally, users should be educated about the risks of installing applications from untrusted sources and the importance of regularly reviewing installed applications and their permissions.