CVE-2024-36064

Vulnerability

Description

The NLL com.nll.cb (ACR Phone) application, up to version 0.330-playStore-NoAccessibility-arm8 for Android, contains a vulnerability that allows any installed application to initiate phone calls without user interaction. The root cause is that the com.nll.cb.dialer.dialer.DialerActivity component is unintentionally exported and can be triggered by a crafted intent from any app, even one with no permissions [1].

Attack

Vector and Prerequisites

An attacker needs to have any application installed on the victim's device—no special permissions are required. The malicious app simply sends a specifically crafted intent to the DialerActivity component. No user interaction is needed for the call to be placed once the intent is delivered, making the attack straightforward to execute from any untrusted app [1].

Impact

A successful exploit allows the attacker to make phone calls arbitrarily, which can result in financial charges (e.g., premium-rate numbers), disruption of service, or potential privacy intrusions if the call is to a service that can record audio. The impact is limited to call placement; the attacker cannot control the microphone or other device functions beyond dialing [1].

Mitigation

As of November 2024, no patch has been released for this vulnerability. Users are advised to refrain from installing untrusted applications on devices where ACR Phone is installed, or to consider using alternative call recording apps that do not expose such components. The vulnerability has been publicly documented, increasing the risk of exploitation [1].