CallApp Caller ID Improper Component Export Vulnerability in Android Applications
Vulnerability
A vulnerability exists in the CallApp Caller ID application for Android, specifically in versions up to 2.0.4. The issue arises from an unknown function in the AndroidManifest.xml file of the component caller.id.phone.number.block. This vulnerability leads to the improper export of Android application components, allowing other applications to access them without proper restrictions. The vulnerability can be exploited locally, and a public proof-of-concept exploit is available.
Impact
Exploitation of this vulnerability allows for task hijacking, where a malicious application can inherit the permissions of the vulnerable CallApp application. This could be used to manipulate tasks or phish for login credentials from the user.
Reproduction
The vulnerability can be reproduced by searching for 'AndroidManifest.xml' using Google Hacking techniques to find targets that have the vulnerable component exported. Once a vulnerable application is identified, the public exploit can be used to demonstrate the task hijacking capability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.