VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 13, 2023· Updated Sep 26, 2024

CVE-2023-42468

CVE-2023-42468

Description

The com.cutestudio.colordialer application through 2.1.8-2 for Android allows a remote attacker to initiate phone calls without user consent, because of improper export of the com.cutestudio.dialer.activities.DialerActivity component. A third-party application (without any permissions) can craft an intent targeting com.cutestudio.dialer.activities.DialerActivity via the android.intent.action.CALL action in conjunction with a tel: URI, thereby placing a phone call.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The com.cutestudio.colordialer DialerActivity component is improperly exported, allowing any Android app to initiate phone calls without user permission.

Vulnerability

The com.cutestudio.colordialer application through version 2.1.8-2 for Android exposes the com.cutestudio.dialer.activities.DialerActivity component with android:exported="true" and an intent-filter that handles the android.intent.action.CALL action with a tel: URI scheme [2]. This improper export (CWE-284) allows any third-party application to send crafted intents to this activity without requiring any permissions or user consent [1][2]. Note that as of version 2.2.5, the vulnerability remains unpatched [2].

Exploitation

A remote attacker can exploit this by crafting an intent from a third-party Android application (which holds no special permissions) using android.intent.action.CALL paired with a tel: URI [1][2]. The attacker sets the intent's component to com.cutestudio.colordialer and com.cutestudio.dialer.activities.DialerActivity, and specifies the target phone number (e.g., tel:+1234567890). When the third-party app calls startActivity(dialerIntent), the vulnerable DialerActivity is launched and immediately places the phone call without any verification or user interaction [1][2].

Impact

Successful exploitation allows an attacker to initiate arbitrary phone calls from the victim's device without the victim's knowledge or consent [1][2]. This can lead to toll fraud, denial of service (by tying up the phone line), or privacy impacts if the call content is monitored by the attacker. The attacker does not need any Android permissions or user interaction to achieve this [2].

Mitigation

As of version 2.2.5 (the latest version mentioned in the references), the vulnerability remains unpatched [2]. The developer should set the android:exported attribute of DialerActivity to false or remove the intent-filter for android.intent.action.CALL if external access is not required [2]. Until a fix is released, users may consider uninstalling the application or using a third-party firewall to block outgoing calls from the app. No CISA KEV listing has been reported for this CVE.

References
  1. com.cutestudio.colordialer/dialerPOC.apk at main · actuator/com.cutestudio.colordialer
  2. com.cutestudio.colordialer/CWE-284.md at main · actuator/com.cutestudio.colordialer

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • com.cutestudio.colordialer/com.cutestudio.colordialerdescription
  • ColorDialer/ColorDialerllm-create
    Range: <=2.1.8-2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Improper export of the DialerActivity component allows any third-party app to invoke it without permission or user consent."

Attack vector

A remote attacker (via a third-party application installed on the same device) can craft an intent with `android.intent.action.CALL` and a `tel:` URI (e.g., `tel:+1234567890`), targeting `com.cutestudio.dialer.activities.DialerActivity` by its component name [ref_id=1]. Because the activity is improperly exported [CWE-284], the Android system delivers the intent without any permission or user-interaction requirement, causing the dialer to immediately place the phone call. No user consent or special app permissions are needed to trigger this behavior.

Affected code

The vulnerable component is `com.cutestudio.dialer.activities.DialerActivity` declared in the AndroidManifest.xml of `com.cutestudio.colordialer`. The manifest sets `android:exported="true"` on this activity and registers an intent-filter for `android.intent.action.CALL` with the `tel:` scheme [ref_id=1]. No permission checks or origin verification are enforced on incoming intents.

What the fix does

The advisory notes that as of version 2.2.5 the vulnerability remains unpatched [ref_id=1]. The recommended fix is to set `android:exported="false"` on the `DialerActivity` in AndroidManifest.xml if external access is not required. If the activity must remain exported, the developer should implement strict intent verification to ensure only authenticated or trusted intents are accepted [ref_id=1].

Preconditions

  • inputThe attacker must have a third-party application installed on the same Android device.
  • configThe target device must have com.cutestudio.colordialer installed (version through 2.2.5).

Reproduction

Create an Android app that executes the following intent (Java example from the advisory):

```java Intent dialerIntent = new Intent("android.intent.action.CALL"); dialerIntent.setComponent(new ComponentName("com.cutestudio.colordialer", "com.cutestudio.dialer.activities.DialerActivity")); dialerIntent.setData(Uri.parse("tel:+1234567890")); startActivity(dialerIntent); ```

Install and run this app on a device that also has `com.cutestudio.colordialer` installed. The phone call to `+1234567890` will be placed immediately without any user prompt or permission grant [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.