CVE-2023-29739

Vulnerability

Alarm Clock for Heavy Sleepers (com.amdroidalarmclock.amdroid) version 5.3.2 for Android exposes the component com.amdroidalarmclock.amdroid.ApiCalls without proper permissions or intent filtering. A malicious third-party app installed on the same device can send arbitrary intents with action android.intent.action.SET_ALARM and extras such as hour, minutes, message, and days, triggering privileged functionality that should be restricted to the alarm clock itself [1][2][3].

Exploitation

An attacker needs only for the victim to have the vulnerable version of the app installed. No authentication, user interaction, or special permissions beyond the default Android runtime capabilities are required. The attacker's app repeatedly broadcasts crafted intents targeting the exposed ApiCalls component, passing alarm parameters (hour, minutes, message, a list of days) to set alarms without the user's consent or knowledge [3].

Impact

Successful exploitation allows an unauthorized app to create, modify, or delete alarms on the victim's device, effectively escalating privileges from a normal third-party app to that of the alarm clock's internal functionality. This can lead to denial of service (e.g., disabling important alarms), privacy leakage (e.g., setting alarms with misleading messages), or disruption of the user's schedule [3].

Mitigation

No official fix has been published by the vendor as of the CVE publication date (2023-05-30). Users should uninstall version 5.3.2 and monitor the Google Play Store for a patched release. There is no known workaround to block the exposed component without modifying the app's manifest [3].