Login Sign Up

CVE-2024-53933

6.3 MEDIUM

📋 TL;DR

This vulnerability allows any Android application without permissions to place phone calls without user interaction by sending a crafted intent to the Color Call Theme & Call Screen app. It affects Android users who have installed the vulnerable version of this application. The exploit requires no user interaction, making it a significant privacy and security risk.

💻 Affected Systems

Products:
  • Color Call Theme & Call Screen (com.callerscreen.colorphone.themes.callflash)
Versions: through 1.0.7
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Android devices with the vulnerable app installed. The vulnerability is in the app itself, not the Android OS.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious apps could place premium-rate calls, make unauthorized international calls, or conduct harassment campaigns without user knowledge, leading to financial loss and privacy violations.

🟠

Likely Case

Malware or adware could place unwanted calls to generate revenue or conduct phishing attacks, potentially incurring charges for the user.

🟢

If Mitigated

With proper app permissions and user awareness, the risk is limited to apps that users intentionally install from untrusted sources.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The exploit requires sending a crafted intent, which is trivial for any Android app to do. No user interaction or permissions are needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

1. Uninstall the Color Call Theme & Call Screen app. 2. Check for updates in Google Play Store if available. 3. If reinstalling, verify the version is newer than 1.0.7.

🔧 Temporary Workarounds

Uninstall vulnerable app

android

Remove the Color Call Theme & Call Screen app from your Android device

adb uninstall com.callerscreen.colorphone.themes.callflash

Restrict app permissions

android

Disable phone call permissions for the app in Android settings

🧯 If You Can't Patch

  • Uninstall the Color Call Theme & Call Screen app immediately
  • Monitor phone bills for unauthorized calls and report suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check if com.callerscreen.colorphone.themes.callflash is installed and its version is 1.0.7 or earlier via Android settings or adb shell pm list packages | grep callerscreen

Check Version:

adb shell dumpsys package com.callerscreen.colorphone.themes.callflash | grep versionName

Verify Fix Applied:

Verify the app is uninstalled or updated to a version newer than 1.0.7

📡 Detection & Monitoring

Log Indicators:

  • Unexpected phone call intents from com.callerscreen.colorphone.themes.callflash
  • Phone call logs showing calls not initiated by user

Network Indicators:

  • Unexpected outgoing calls to premium or international numbers

SIEM Query:

Not applicable for mobile app vulnerability

📊 Metadata

CVE ID: CVE-2024-53933
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score: 0.07% exploit probability (20.9th percentile)
Published: January 6, 2025
Last Updated: January 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON