CVE-2024-36064 in com.nll.cb
Summary
by MITRE • 11/08/2024
The NLL com.nll.cb (aka ACR Phone) application through 0.330-playStore-NoAccessibility-arm8 for Android allows any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.nll.cb.dialer.dialer.DialerActivity component.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/08/2024
The vulnerability identified as CVE-2024-36064 affects the NLL com.nll.cb application commonly known as ACR Phone version 0.330-playStore-NoAccessibility-arm8 for Android devices. This represents a critical security flaw that fundamentally undermines the device's telephony security model by enabling unauthorized applications to execute phone calls without any user consent or interaction. The vulnerability specifically resides within the com.nll.cb.dialer.dialer.DialerActivity component which serves as an entry point for dialing functionality within the application.
The technical implementation of this vulnerability stems from improper intent filtering and component exposure within the Android application's manifest file. The DialerActivity component is configured with insufficient permission requirements or lacks proper intent verification mechanisms, allowing any application installed on the device to broadcast intents directly to this activity. This flaw essentially creates an attack surface where malicious applications can exploit the dialer functionality through the standard Android intent system without requiring any special permissions or user interaction. The vulnerability maps directly to CWE-284 Access Control Issues, specifically concerning insufficient access control on Android components that should be protected from unauthorized access.
From an operational perspective, this vulnerability presents a severe risk to user privacy and device security. Any installed application, regardless of its permissions or user consent status, can leverage this flaw to initiate phone calls to arbitrary numbers. This capability opens numerous attack vectors including premium rate number exploitation, unauthorized billing, social engineering attacks, and potential data exfiltration through call-based communication channels. The impact extends beyond simple privacy violations as it enables financial fraud and can be used for coordinated attacks against users. Attackers could potentially use this vulnerability to make calls to premium rate numbers, generate fraudulent charges, or even create botnet command and control infrastructure using phone calls as communication channels.
The security implications of CVE-2024-36064 align with several ATT&CK framework techniques including T1059 Command and Scripting Interpreter and T1190 Exploit Public-Facing Application, as the vulnerability allows for arbitrary command execution through the phone dialer interface. The flaw also relates to T1566 Impersonation techniques where attackers can impersonate legitimate application functionality to perform unauthorized actions. Additionally, this vulnerability demonstrates poor security practices in Android application development, particularly around component exposure and intent filtering. The lack of proper access control checks means that the application fails to properly validate the identity and authorization level of applications attempting to interact with its dialer functionality.
Mitigation strategies for this vulnerability should include immediate patching of the affected application to implement proper intent filtering and access control mechanisms. The application should be configured to require explicit permissions or authentication before allowing external applications to trigger dialer functionality. Developers should implement proper intent verification by checking the calling application's identity and permissions before processing dialer intents. Security hardening measures should include setting appropriate intent filters with restricted access, implementing proper component protection through AndroidManifest.xml configuration, and ensuring that sensitive components like dialer activities are not exported without proper security controls. Organizations should also implement mobile application security monitoring to detect and prevent exploitation attempts, while users should be advised to avoid installing untrusted applications that might exploit this vulnerability. The vulnerability highlights the importance of following Android security best practices including proper component exposure management and intent validation, which are fundamental requirements for maintaining application security boundaries.