CVE-2025-43977 is a medium-severity vulnerability affecting the com.skt.prod.dialer application on Android devices up to version 12.5.0. The vulnerability arises from the OutgoingCallInternalBroadcaster component within the com.skt.prod.dialer.activities.outgoingcall package. This component improperly exposes an intent receiver that allows any installed application, even those without any permissions, to send a crafted intent that triggers the dialer to place phone calls without any user interaction. The vulnerability does not require any privileges or user interaction, making it easier for malicious apps to exploit. The CVSS score of 4.3 reflects a moderate impact with low attack vector (physical or local network), low complexity, no privileges required, and no user interaction needed. The impact includes potential unauthorized phone calls, which could lead to financial losses, privacy breaches, or abuse of telephony services. No patches or known exploits in the wild have been reported yet. The vulnerability was published on July 21, 2025, and was reserved in April 2025. The lack of authentication or permission checks on the intent receiver is the root cause, allowing any app to silently initiate calls, potentially bypassing user consent mechanisms inherent in Android's telephony framework.

For European organizations, this vulnerability poses risks primarily in environments where Android devices with the vulnerable dialer app are used extensively, such as corporate mobile fleets or BYOD scenarios. Unauthorized calls could lead to financial fraud, especially if premium-rate or international calls are placed without user knowledge. Additionally, the silent call initiation could be leveraged to disrupt communication channels or cause denial of service by exhausting call quotas or billing limits. Privacy concerns arise as attackers could infer user behavior or location based on call patterns. Organizations in sectors like finance, telecommunications, and government, which rely heavily on secure and auditable telephony, could face reputational damage and regulatory scrutiny under GDPR if such unauthorized activities lead to data breaches or misuse of personal data. The absence of user interaction or permission requirements increases the risk of widespread exploitation if malicious apps are distributed through app stores or sideloaded.

To mitigate this vulnerability, European organizations should: 1) Audit and inventory Android devices to identify those running the vulnerable com.skt.prod.dialer app version 12.5.0 or earlier. 2) Coordinate with device manufacturers or software vendors to obtain and deploy patches or updated dialer applications that properly restrict intent receivers and enforce permission checks. 3) Implement mobile device management (MDM) solutions to restrict installation of untrusted or unknown applications, reducing the risk of malicious apps exploiting this vulnerability. 4) Monitor telephony usage logs for unusual call patterns, such as unexpected outgoing calls or spikes in call volume, to detect potential exploitation. 5) Educate users about the risks of installing apps from untrusted sources and encourage the use of official app stores with security vetting. 6) Consider disabling or restricting the com.skt.prod.dialer app where feasible, or replacing it with alternative dialer apps that do not exhibit this vulnerability. 7) Employ network-level controls to detect and block suspicious telephony traffic that may result from unauthorized calls.