Call Screen Application Intent-Based Unattended Call Initiation Vulnerability

A vulnerability in the 'iCall OS17 - Color Phone Flash' application, specifically in versions through 4.3 for Android, allows any application to make phone calls without user interaction. This is achieved by sending a crafted intent to the 'com.callos14.callscreen.colorphone.DialerActivity' component, bypassing normal permission requirements.

Impact

Exploitation of this vulnerability allows for unauthorized phone calls to be placed from the user's device, without their knowledge or consent.

Reproduction

To reproduce this vulnerability, an application can be created that sends a crafted intent to the 'com.callos14.callscreen.colorphone.DialerActivity' component. The intent must be crafted in a way that triggers the dialer activity to place a phone call. This can be done without any special permissions, taking advantage of the application's design that allows for such interactions.