CVE-2024-36437

Name of the Vulnerable Software and Affected Versions: TextNow: Call + Text Unlimited version 24.17.0.2

Description: The issue allows any installed application, without requiring permissions, to place phone calls without user interaction. This is achieved by sending a crafted intent via the com.enflick.android.TextNow.activities.DialerActivity component.

Recommendations: For version 24.17.0.2, consider restricting access to the com.enflick.android.TextNow.activities.DialerActivity component to prevent unauthorized phone calls until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.