CVE-2024-36062 in com.callassistant.android
Summary
by MITRE • 11/08/2024
The com.callassistant.android (aka AI Call Assistant & Screener) application 1.174 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.callassistant.android.ui.call.incall.InCallActivity component.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/14/2025
The vulnerability identified as CVE-2024-36062 affects the com.callassistant.android application version 1.174 for Android devices, presenting a critical security flaw that allows arbitrary applications to initiate phone calls without user consent. This represents a significant breach of user privacy and device security, as the flaw operates through an insecure intent handling mechanism within the application's component architecture. The vulnerability specifically targets the com.callassistant.android.ui.call.incall.InCallActivity component which serves as an entry point for call initiation functionality.
The technical implementation of this vulnerability stems from improper intent filtering and component exposure within the Android application's manifest configuration. The application fails to properly validate or authenticate incoming intents sent to the InCallActivity component, allowing any installed application regardless of permissions to trigger call initiation sequences. This flaw aligns with CWE-284, which addresses inadequate access control mechanisms, and specifically demonstrates weak component-level security controls. The vulnerability exploits the Android component model where activities can be launched through intent broadcasts without proper authorization checks.
The operational impact of this vulnerability extends beyond simple unauthorized calling, as it creates a persistent threat vector that could enable various malicious activities including premium rate number exploitation, spam calling campaigns, and potential financial fraud. Attackers could leverage this vulnerability to silently place calls to expensive numbers, potentially generating unauthorized charges without user knowledge. The absence of permission requirements for the triggering application means that even basic applications with minimal privileges could exploit this flaw, making the attack surface extremely broad and difficult to detect. This vulnerability directly maps to ATT&CK technique T1059.007 for Android applications, specifically targeting command and control through unauthorized system interactions.
Mitigation strategies for this vulnerability require immediate application updates with proper intent filtering and component protection mechanisms. The application should implement strict intent validation by verifying the calling application's identity and permissions before processing call initiation requests. Security measures must include adding android:exported="false" attributes to components that should not be accessible from external applications, and implementing proper permission checks using the Android permission system. Additionally, developers should implement intent verification through signature checking or application-specific authentication mechanisms. Organizations should conduct comprehensive security audits of their Android applications and implement proper security testing including dynamic analysis and penetration testing to identify similar insecure component exposure vulnerabilities. The fix should also involve implementing proper logging and monitoring for unauthorized call initiation attempts to detect potential exploitation attempts.