CVE-2024-36063 identifies a critical vulnerability in the Goodwy com.goodwy.dialer (Right Dialer) Android application, specifically affecting versions through 5.1.0. The vulnerability allows any installed application, even those without any declared permissions, to initiate phone calls without user consent or interaction. This is achieved by sending a specially crafted intent to the exposed component com.goodwy.dialer.activities.DialerActivity. The root cause is improper access control on this component, classified under CWE-276 (Incorrect Default Permissions). Because the component is exported and does not enforce permission checks, malicious apps can exploit this to place calls silently, potentially leading to unauthorized charges, privacy breaches, or social engineering attacks. The vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity due to its network attack vector, lack of required privileges, no user interaction, and high impact on integrity (unauthorized call placement). No patches or official fixes have been published yet, and no exploits are currently known in the wild. This vulnerability highlights the risks of exposed Android components without proper permission enforcement, especially in telephony-related apps.

The primary impact of CVE-2024-36063 is unauthorized call initiation by malicious apps without user knowledge or consent. This can lead to significant financial losses for users or organizations due to fraudulent calls to premium-rate numbers or toll services. Privacy is also compromised as calls could be placed to contacts or services without user approval, potentially exposing sensitive information or enabling further social engineering attacks. For organizations, compromised devices could be leveraged as part of larger fraud schemes or to disrupt communications. The lack of required permissions and user interaction lowers the barrier for exploitation, increasing the risk of widespread abuse. Although availability and confidentiality impacts are minimal, the integrity of telephony functions is severely affected. The absence of patches means affected users remain vulnerable until mitigations or updates are applied.

Since no official patches are currently available, organizations and users should implement the following mitigations: 1) Restrict installation of untrusted or unknown applications to reduce the risk of malicious apps exploiting this vulnerability. 2) Use mobile device management (MDM) solutions to monitor and control app permissions and behavior, including blocking apps that attempt to send intents to the vulnerable component. 3) Disable or uninstall the Goodwy Right Dialer app if it is not essential or replace it with a trusted dialer application that enforces proper permission checks. 4) Employ runtime application behavior monitoring tools that can detect unauthorized call attempts and alert users or administrators. 5) Educate users about the risks of installing apps from unofficial sources and encourage vigilance regarding unexpected phone calls or charges. 6) Monitor telephony usage logs for unusual call patterns indicative of exploitation. 7) Stay alert for vendor updates or patches and apply them promptly once available. These steps go beyond generic advice by focusing on controlling app behavior and reducing exposure until a fix is released.