CVE-2024-37574 identifies a vulnerability in the GriceMobile Android application (com.grice.call) version 4.5.2, where any installed application, even without any permissions, can initiate phone calls without user consent or interaction. This is achieved by sending a crafted intent to the component com.iui.mobile.presentation.MobileActivity, which improperly handles incoming intents and does not enforce permission checks or user confirmation before placing calls. The root cause is linked to CWE-732, which involves incorrect permissions or access control on critical operations. The vulnerability allows an attacker to exploit the phone's call functionality, potentially leading to unauthorized calls that could result in toll fraud, privacy violations, or disruption of user experience. The CVSS v3.1 score of 8.2 indicates a high severity, with an attack vector over the network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), limited confidentiality impact (C:L), high integrity impact (I:H), and no availability impact (A:N). No patches or known exploits are currently reported, but the vulnerability's nature makes it a significant risk for affected users.

The vulnerability allows unauthorized applications to place phone calls silently, which can lead to several adverse impacts. Organizations may face financial losses due to toll fraud if attackers place premium-rate or international calls. Privacy is compromised as calls could be made without user knowledge, potentially leaking sensitive information or enabling stalking and harassment. The integrity of the device's telephony functions is undermined, reducing trust in the affected application and device security. Although availability is not impacted, the unauthorized call capability can disrupt normal phone usage and cause reputational damage. Enterprises relying on Android devices with this app installed may experience increased risk of insider threats or malware leveraging this flaw. The lack of required permissions and user interaction lowers the barrier for exploitation, increasing the threat surface significantly.

Immediate mitigation involves restricting the installation of untrusted or unknown applications on devices running GriceMobile com.grice.call 4.5.2. Organizations should implement mobile device management (MDM) policies to control app installations and monitor unusual call activity. Users and administrators should check for updates or patches from GriceMobile and apply them as soon as available. If no patch exists, consider uninstalling or disabling the vulnerable app until remediation is provided. Developers and vendors must implement proper intent filtering and permission enforcement on sensitive components like MobileActivity to prevent unauthorized access. Additionally, monitoring telephony logs for unexpected call patterns can help detect exploitation attempts. Employing runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions on mobile devices may provide further detection capabilities. Educating users about the risks of installing untrusted apps can reduce exposure.