CVE-2024-36064 is a vulnerability identified in the NLL com.nll.cb (also known as ACR Phone) Android application, specifically in versions up to 0.330-playStore-NoAccessibility-arm8. The flaw allows any installed application on the device, even those without any granted permissions, to initiate phone calls without any user interaction. This is achieved by sending a crafted intent to the vulnerable component com.nll.cb.dialer.dialer.DialerActivity, which lacks proper access control or intent validation. The vulnerability stems from improper intent filtering and insufficient validation, categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation, commonly related to injection issues). The CVSS 3.1 base score is 6.2, indicating a medium severity with the vector AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, meaning the attack requires local access (local vector), low attack complexity, no privileges, no user interaction, and impacts integrity but not confidentiality or availability. No patches or fixes have been published at the time of disclosure, and no known exploits have been detected in the wild. The vulnerability allows unauthorized call placement, which could lead to financial fraud, unauthorized premium calls, or disruption of user trust. Since the exploit requires only a local app installation without permissions or user interaction, it poses a significant risk especially on devices where users install untrusted apps. The vulnerability is limited to devices running the affected version of the NLL com.nll.cb app, which is an Android telephony application.

The primary impact of CVE-2024-36064 is unauthorized integrity violation through silent phone call initiation by malicious apps without any permissions or user interaction. This can lead to financial losses if calls are made to premium-rate numbers, privacy breaches if calls are placed without user knowledge, and potential reputational damage for organizations relying on the affected app. Although confidentiality and availability are not directly impacted, the unauthorized call capability can be exploited for fraud or social engineering attacks. The ease of exploitation (no permissions or UI interaction required) increases the risk, especially in environments where users install apps from untrusted sources. Organizations with employees or customers using the vulnerable app may face increased risk of fraud or abuse. The lack of patches increases exposure duration. The scope is limited to devices with the vulnerable app installed, but given Android's large market share, the affected user base could be substantial.

To mitigate CVE-2024-36064, organizations and users should: 1) Monitor for official patches or updates from the NLL com.nll.cb app developer and apply them promptly once available. 2) Restrict installation of untrusted or unknown applications on devices running the vulnerable app to prevent malicious apps from exploiting the flaw. 3) Employ mobile device management (MDM) solutions to control app installations and monitor for suspicious behavior related to call initiation. 4) Use Android security features such as Play Protect and app permission reviews to limit exposure. 5) Consider disabling or uninstalling the vulnerable app if it is not essential. 6) For developers, implement strict intent validation and access control on exported components to prevent unauthorized intent handling. 7) Educate users about risks of installing apps from unknown sources and encourage vigilance regarding unexpected phone call behavior. These steps go beyond generic advice by focusing on controlling app installation, monitoring intent usage, and enforcing stricter component security.