CVE-2024-37573

Vulnerability

Overview

The Talkatone Android application (com.talkatone.android) version 8.4.6 exposes a component named com.talkatone.vedroid.ui.launcher.OutgoingCallInterceptor that can be triggered by any installed application without requiring any permissions. This component processes intents and can initiate phone calls directly, bypassing user consent [1].

Exploitation

An attacker with a malicious app installed on the same device can send a crafted intent to the vulnerable component. No special permissions are needed, and the attack does not require user interaction. The malicious app simply needs to be installed on the device; it can then invoke the OutgoingCallInterceptor to place calls at will [1].

Impact

Successful exploitation allows the attacker to place phone calls from the victim's device without the user's knowledge or consent. This could lead to unauthorized charges, privacy violations, or use of the device for fraudulent activities. The CVSS v3 score of 8.4 (High) reflects the low complexity and lack of required privileges or user interaction [1].

Mitigation

As of the publication date (2024-10-30), no official patch has been announced. Users are advised to update the app if a fix becomes available, or consider removing the app if it is not essential. The vulnerability has been publicly documented, increasing the risk of exploitation [1].