CVE-2024-36063 in com.goodwy.dialer
Summary
by MITRE • 11/08/2024
The Goodwy com.goodwy.dialer (aka Right Dialer) application through 5.1.0 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.goodwy.dialer.activities.DialerActivity component.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/08/2024
The vulnerability identified as CVE-2024-36063 affects the Goodwy com.goodwy.dialer application version 5.1.0 and earlier on Android platforms. This represents a critical security flaw that allows arbitrary applications to initiate phone calls without any user consent or interaction. The vulnerability stems from improper intent handling within the application's architecture, specifically within the com.goodwy.dialer.activities.DialerActivity component. The flaw enables malicious actors to exploit this weakness by sending crafted intents that trigger the dialer application to place calls automatically.
This security weakness falls under the category of insecure intent handling and represents a direct violation of Android's security model. The vulnerability creates an attack surface where any application, regardless of permissions or user authorization, can leverage this flaw to execute unauthorized phone calls. The technical implementation appears to lack proper intent filtering or validation mechanisms that should normally prevent unauthorized applications from triggering sensitive system functions. The absence of proper access controls or authentication checks within the DialerActivity component allows for privilege escalation through intent manipulation.
The operational impact of this vulnerability is severe and multifaceted. Attackers can exploit this flaw to initiate premium rate calls, international calls, or any other phone number without user knowledge or consent. This creates significant financial risks for users who may incur unexpected charges from unauthorized calls. Additionally, the vulnerability can be leveraged for social engineering attacks, where malicious applications could automatically dial emergency services or contact numbers to create false alarms. The lack of user interaction requirement makes this attack vector particularly dangerous as it bypasses normal user awareness mechanisms that typically prevent unauthorized actions.
From a cybersecurity perspective, this vulnerability aligns with CWE-284 (Improper Access Control) and potentially CWE-352 (Cross-Site Request Forgery) when considering the intent-based attack surface. The flaw also maps to several ATT&CK techniques including T1059 (Command and Scripting Interpreter) and T1566 (Phishing) where the unauthorized call functionality could be used as a delivery mechanism. The vulnerability essentially allows for unauthorized remote code execution through the phone system interface, creating a persistent threat vector that can be exploited repeatedly without requiring additional permissions or user interaction.
Mitigation strategies should focus on immediate application updates from Goodwy to address the intent handling flaw. Users should avoid installing applications from untrusted sources and regularly update their dialer applications to the latest secure versions. The application developers must implement proper intent filtering and validation mechanisms to ensure that only authorized components can trigger the dialer functionality. Additionally, Android security teams should consider implementing stricter intent permission controls and monitoring for suspicious intent usage patterns. Organizations should also implement mobile device management policies that restrict the installation of potentially malicious applications and monitor for unauthorized call activity on managed devices.