CVE-2024-37573 is a vulnerability identified in the Talkatone Android application version 8.4.6, which allows any installed application on the device to place phone calls without requiring any permissions or user interaction. The root cause lies in the insecure handling of intents by the component com.talkatone.vedroid.ui.launcher.OutgoingCallInterceptor. Specifically, this component accepts crafted intents from any app, enabling the initiation of outgoing calls silently. This bypasses Android's normal permission model, which typically requires CALL_PHONE permission and user consent for placing calls. The vulnerability is rated with a CVSS 3.1 score of 8.4 (high severity), reflecting its potential for high impact on confidentiality, integrity, and availability. The attack vector is local (AV:L), meaning the attacker must have an app installed on the device but does not require privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H) because unauthorized calls can lead to privacy violations, financial loss, and service disruption. No patches or fixes have been published yet, and no known exploits are reported in the wild. This vulnerability highlights a critical flaw in intent validation and permission enforcement within the Talkatone app's call handling logic.

The vulnerability allows any app installed on an Android device with Talkatone 8.4.6 to place phone calls without user knowledge or permission. This can lead to unauthorized premium-rate calls causing financial losses to users or organizations. Confidentiality is compromised as attackers can infer user activity or location through call patterns. Integrity is affected because attackers can manipulate call behavior, potentially interfering with legitimate communications. Availability is impacted as malicious apps could flood the phone system with calls, causing denial of service or battery drain. For organizations, this could result in unexpected telephony costs, reputational damage, and potential regulatory compliance issues related to user privacy. The lack of required permissions and user interaction lowers the barrier for exploitation, increasing the risk of widespread abuse if malicious apps are distributed via app stores or sideloaded. Although no exploits are currently known, the vulnerability's characteristics make it a significant threat to both individual users and enterprises relying on Talkatone for voice communications.

Until an official patch is released, users and organizations should take proactive steps to mitigate this vulnerability. First, restrict installation of untrusted or unknown applications to reduce the risk of malicious apps exploiting this flaw. Employ mobile device management (MDM) solutions to enforce app whitelisting or blacklisting policies. Monitor device behavior for unusual outgoing call patterns that could indicate exploitation. Disable or uninstall the Talkatone app if it is not essential or replace it with a more secure alternative communication app. Developers and security teams should review and audit intent handling in their own apps to prevent similar issues. Once a patch is available, prioritize immediate update deployment. Additionally, consider implementing runtime application self-protection (RASP) or endpoint detection and response (EDR) tools capable of detecting unauthorized call attempts. Educate users about the risks of installing apps from unverified sources and the importance of scrutinizing app permissions and behaviors.