CVE-2024-53935 is a security vulnerability identified in the Android application com.callos14.callscreen.colorphone, known as iCall OS17 - Color Phone Flash, through version 4.3. The vulnerability stems from the application's DialerActivity component improperly handling intents, allowing any other application on the device to send a crafted intent that triggers the placement of phone calls without requiring any permissions or user interaction. This means that a malicious app, even one without any declared permissions, can silently initiate phone calls, bypassing Android's usual permission model and user consent mechanisms. The vulnerability is classified with a CVSS 3.1 base score of 6.5, indicating a medium severity level. The attack vector is network-independent (local), requires no privileges, and no user interaction, making exploitation relatively straightforward once a malicious app is installed. The impact affects confidentiality and integrity by enabling unauthorized call placement, which could be leveraged for fraud, harassment, or privacy breaches. There is no reported impact on system availability. No patches or fixes are currently linked, and no known exploits have been observed in the wild as of the publication date. The vulnerability was reserved on November 25, 2024, and published on January 6, 2025. The lack of required permissions and user interaction makes this vulnerability particularly concerning for Android users who have installed this app, as it undermines the platform's security model.

The primary impact of CVE-2024-53935 is unauthorized phone call initiation without user consent, which can lead to financial loss due to premium-rate calls, privacy violations, and potential harassment or social engineering attacks. Organizations relying on Android devices with this app installed may face increased risk of fraud or abuse, especially if devices are used in sensitive environments or by employees handling confidential information. The vulnerability could be exploited to bypass security controls that rely on user interaction or permission checks, undermining trust in mobile device security. Although availability is not affected, the integrity and confidentiality of user communications are compromised. The ease of exploitation (no permissions or user interaction required) increases the likelihood of abuse if a malicious app is installed on the device. This could also facilitate broader attacks if combined with other vulnerabilities or social engineering tactics. The lack of known exploits in the wild suggests limited current impact, but the potential for future exploitation remains significant.

To mitigate CVE-2024-53935, users and organizations should first verify if the affected application (iCall OS17 - Color Phone Flash) is installed on their Android devices and update it to a patched version once available. In the absence of an official patch, consider uninstalling or disabling the app to eliminate the attack vector. Employ mobile device management (MDM) solutions to restrict installation of untrusted or unnecessary applications, reducing the risk of malicious apps exploiting this vulnerability. Monitor device behavior for unexpected phone call activity, which could indicate exploitation attempts. Developers and vendors should implement proper intent validation and require explicit permissions and user interaction before placing calls. Security teams should educate users about the risks of installing apps from untrusted sources and encourage the use of app stores with rigorous vetting processes. Additionally, applying runtime application self-protection (RASP) or endpoint detection and response (EDR) tools on mobile devices may help detect and block suspicious intent-based activities. Finally, maintain up-to-date threat intelligence to respond promptly when patches or exploit reports emerge.