CVE-2024-36063
📋 TL;DR
This vulnerability allows any Android application without permissions to place phone calls without user interaction by sending a crafted intent to the Goodwy Dialer app. It affects all users of Goodwy Dialer (Right Dialer) for Android up to version 5.1.0. The attack requires an attacker to have installed a malicious app on the same device.
💻 Affected Systems
- Goodwy Dialer (Right Dialer)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could place premium-rate international calls, incurring significant financial costs for the victim, or make calls to emergency services causing false alarms and potential legal consequences.
Likely Case
Malicious apps could place unwanted calls to scam numbers, premium services, or contacts in the victim's address book, potentially leading to financial loss or social engineering attacks.
If Mitigated
With proper app sandboxing and intent filtering, the impact would be limited to calls being placed without user consent but potentially detectable through call logs.
🎯 Exploit Status
The exploit requires creating a malicious Android app that sends a crafted intent. No special permissions needed for the attacking app.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 5.1.0
Vendor Advisory: https://github.com/actuator/com.goodwy.dialer/blob/main/CVE-2024-36063
Restart Required: No
Instructions:
1. Open Google Play Store 2. Search for 'Goodwy Dialer' or 'Right Dialer' 3. Update to latest version 4. Verify version is greater than 5.1.0
🔧 Temporary Workarounds
Uninstall Goodwy Dialer
androidRemove the vulnerable application from the device
Settings > Apps > Goodwy Dialer > Uninstall
Use alternative dialer app
androidReplace Goodwy Dialer with a different dialer application
🧯 If You Can't Patch
- Disable Goodwy Dialer as default phone app in Android settings
- Install app from trusted sources only and review app permissions carefully
🔍 How to Verify
Check if Vulnerable:
Check app version in Settings > Apps > Goodwy Dialer. If version is 5.1.0 or lower, device is vulnerable.Check Version:
adb shell dumpsys package com.goodwy.dialer | grep versionNameVerify Fix Applied:
Update app via Play Store and confirm version is greater than 5.1.0 in app info.📡 Detection & Monitoring
Log Indicators:
- Unexpected phone call intents from other apps
- DialerActivity receiving intents without user interaction
Network Indicators:
- Unexpected outgoing calls in call logs
- Calls to premium or international numbers without user history
SIEM Query:
Not applicable for mobile app vulnerability