What Happened
In early 2023, security researchers discovered a side-channel vulnerability in Android's ActivityManagerService (CVE-2023-21301) that allows malicious apps to determine whether other applications are installed on a device—without requiring the standard QUERY_ALL_PACKAGES permission.
This might sound like a minor information leak, but it's the kind of vulnerability that opens doors to larger attacks. An attacker can use this reconnaissance technique to profile a device, identify security tools, banking apps, or enterprise software, and then launch targeted attacks. The vulnerability affects multiple Android versions and requires no user interaction to exploit—meaning a malicious app running in the background can gather this intelligence silently.
Google patched this in Android Security & Maintenance Releases (ASMR) starting March 2023, but millions of devices worldwide—including enterprise-deployed Android devices in India—remain unpatched. The vulnerability exists in a core Android service that runs with elevated privileges, making it a local privilege escalation vector when chained with other exploits.
Why This Matters for Indian Businesses
If you're running Android devices in your organization—whether it's BYOD (Bring Your Own Device) programs, field sales teams with company-issued phones, or IoT/Android-based kiosks—this vulnerability directly affects your security posture.
Here's the practical impact:
1. Enterprise App Profiling Attackers can detect if your employees are using security tools, VPN apps, or banking software. This intelligence feeds into social engineering attacks. For example, if an attacker knows your team uses a specific banking app, they can craft a convincing phishing attack targeting that app.
2. Regulatory Risk Under DPDP Act India's Digital Personal Data Protection Act (DPDP), 2023 requires organizations to implement reasonable security measures to protect personal data. If a breach occurs because you failed to patch a known vulnerability, you're liable for penalties up to ₹5 crore. This vulnerability, when exploited, can lead to unauthorized data access—directly violating DPDP obligations.
3. CERT-In Compliance The Indian Computer Emergency Response Team (CERT-In) mandates that critical vulnerabilities be patched within 6 hours of notification for critical severity, and 15 days for high-severity issues. While this CVE is classified as medium-high, CERT-In's incident disclosure requirements mean you need a patch management process in place.
4. RBI Framework for Banks & Fintech If your organization handles financial data, the RBI's Cyber Security Framework requires regular vulnerability assessments and timely patching. Android devices accessing banking systems must be kept updated.
In my years building enterprise systems for Fortune 500 companies, I've seen how these "minor" information disclosures cascade into major breaches. A single unpatched device in a corporate network can become the entry point for lateral movement. This is exactly why I built Bachao.AI—to help Indian SMBs detect and remediate vulnerabilities before they become incidents.
Technical Breakdown
How the Attack Works
The vulnerability exists in Android's ActivityManagerService, a core system service that manages application lifecycle and visibility. Normally, apps need the QUERY_ALL_PACKAGES permission (added in Android 11) to list installed applications.
However, through side-channel analysis, an attacker can infer whether an app is installed by:
- Attempting to start an activity from the target app
- Observing the response time or error behavior of the system
- Analyzing system logs or broadcasts that leak app information
- Exploiting implicit intent resolution where Android reveals installed apps through error messages
graph TD
A["Malicious App Installed"] -->|No special permissions needed| B["Send Implicit Intent to Unknown App"]
B -->|Measure Response Time| C["App Exists: Fast Response"]
B -->|OR| D["App Missing: Slow/Error Response"]
C -->|Repeat for 100+ apps| E["Build App Inventory"]
D -->|Repeat for 100+ apps| E
E -->|Analyze Results| F["Identify Security Tools & Banking Apps"]
F -->|Feed Intelligence to C2| G["Launch Targeted Attack"]Proof of Concept
Here's a simplified example of how an attacker might detect installed apps:
// Vulnerable code pattern - detecting apps via implicit intent
private boolean isAppInstalled(String packageName) {
Intent intent = new Intent(Intent.ACTION_MAIN);
intent.addCategory(Intent.CATEGORY_LAUNCHER);
intent.setPackage(packageName);
long startTime = System.currentTimeMillis();
List<ResolveInfo> apps = getPackageManager().queryIntentActivities(intent, 0);
long endTime = System.currentTimeMillis();
// Timing side-channel: installed apps respond faster
boolean isInstalled = (endTime - startTime) < 100; // milliseconds
return isInstalled || !apps.isEmpty();
}The problem: Even without explicit permissions, the timing difference and error patterns reveal whether an app exists.
The Fix (Google's Patch)
Google's patch restricts implicit intent resolution and adds permission checks in ActivityManagerService:
// Patched version - enforces permission checks
private boolean isAppInstalled(String packageName) {
// After patch: This requires QUERY_ALL_PACKAGES permission
// Implicit intent queries are filtered
if (getContext().checkSelfPermission(Manifest.permission.QUERY_ALL_PACKAGES)
!= PackageManager.PERMISSION_GRANTED) {
// Return empty list - app existence is hidden
return false;
}
Intent intent = new Intent(Intent.ACTION_MAIN);
intent.addCategory(Intent.CATEGORY_LAUNCHER);
intent.setPackage(packageName);
List<ResolveInfo> apps = getPackageManager().queryIntentActivities(intent, 0);
return !apps.isEmpty();
}Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanHow to Protect Your Business
Immediate Actions
| Protection Layer | Action | Difficulty |
|---|---|---|
| Device Patching | Update all Android devices to March 2023 ASMR or later | Easy |
| BYOD Policy | Enforce minimum OS versions (Android 12+) for company access | Medium |
| App Permissions | Audit and restrict QUERY_ALL_PACKAGES permissions | Easy |
| Mobile MDM | Deploy Mobile Device Management to enforce security policies | Hard |
| Network Segmentation | Isolate Android devices from sensitive systems | Medium |
| Monitoring | Enable security event logging on all devices | Medium |
Step 1: Check Your Android Devices
First, identify which devices in your organization are vulnerable:
# On Android device (via adb - Android Debug Bridge)
adb shell getprop ro.build.version.release
# Output examples:
# 12.0 or higher = Likely patched
# 11.0 or lower = Vulnerable (check patch date)
# Check security patch date
adb shell getprop ro.build.version.security_patch
# Output should be 2023-03-01 or later for this CVEIf you manage multiple devices, use Android Enterprise to check device compliance:
# Via Android Enterprise Console
# Settings > Security > Security patch level
# Flag devices with patch dates before 2023-03-01Step 2: Deploy Patches
For Personal Devices (BYOD):
- Push a compliance policy requiring Android 12+ or March 2023+ security patch
- Block non-compliant devices from accessing company apps
- Use Mobile Device Management (MDM) tools like Google Workspace, Intune, or MobileIron
- Deploy OTA (Over-The-Air) updates automatically
# Example: MobileIron MDM command to enforce patch
# Deploy to all enrolled devices
mobileIron-cli deploy-patch \
--target-version="2023-03" \
--force-update=true \
--grace-period=7dStep 3: Restrict App Enumeration
Even with patches, implement defense-in-depth by restricting which apps can query package lists:
<!-- AndroidManifest.xml - Whitelist approach -->
<manifest>
<queries>
<!-- Only allow specific apps to query packages -->
<package android:name="com.example.banking" />
<package android:name="com.example.vpn" />
<!-- Deny all others implicitly -->
</queries>
</manifest><queries> element in your app's manifest to explicitly declare which packages you need access to. This follows the principle of least privilege and prevents your app from being exploited.Step 4: Monitor for Suspicious Apps
Deploy security monitoring to detect apps attempting to enumerate packages:
# Enable Android Security & Privacy Logs
adb shell settings put global logging_level 1
# Monitor for QUERY_ALL_PACKAGES permission denials
adb logcat | grep -i "query_all_packages\|permission.*denied"
# Look for patterns of rapid intent resolution attempts
adb logcat | grep -i "implicit.*intent\|resolveActivity"How Bachao.AI Detects This
As someone who's reviewed hundreds of Indian SMB security postures, I've noticed that most organizations don't have visibility into their Android device fleet's patch status. This is exactly the kind of blind spot that leads to breaches.
- VAPT Scan — Our vulnerability assessment includes Android app analysis. We scan installed apps for known CVEs like CVE-2023-21301 and flag devices with outdated security patches. Free scan available at Bachao.AI/vapt.
- Mobile Security Audit — Part of our Cloud Security offering, we assess your MDM deployment, patch management processes, and BYOD policies. Identify gaps in 48 hours. Starting at ₹5,000.
- DPDP Compliance — We verify that your Android device security aligns with DPDP Act requirements for personal data protection. Includes patch management audit and policy recommendations.
- Incident Response — If you suspect exploitation of this vulnerability, our 24/7 team can investigate, contain, and file CERT-In notifications within the 6-hour window.
The Bigger Picture
CVE-2023-21301 is a reminder that information disclosure vulnerabilities are not harmless. A small leak—like whether an app is installed—becomes a reconnaissance tool for larger attacks.
In enterprise architecture, we call this attack surface mapping. Attackers use it to:
- Identify security tools and bypass them
- Detect banking apps and craft phishing campaigns
- Locate VPN software and target unencrypted traffic
- Find enterprise apps and exploit them with zero-days
If you're running Android devices in your organization and haven't audited them in the last 6 months, now is the time. The DPDP Act, CERT-In compliance, and basic security hygiene all demand it.
Originally reported by NIST NVD
Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.
Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.
Frequently Asked Questions
Q: What is the Android ActivityManagerService (AMS) vulnerability? The ActivityManagerService flaw allows a malicious app to obtain information about foreground activities of other applications without proper authorization. This can be used for UI spoofing attacks, where malicious overlays mimic legitimate app screens to steal credentials.
Q: How serious is this vulnerability for enterprise Android deployments? High severity. In enterprise environments where employees use Android devices for banking, ERP access, or authentication apps, UI spoofing enabled by AMS vulnerabilities can lead to credential theft and account takeover.
Q: What is ActivityManagerService in Android? ActivityManagerService is a core Android system service that manages the lifecycle of activities (screens) in all applications. It controls which app is in the foreground, manages task stacks, and handles inter-app communication.
Q: How should Indian SMBs respond to this vulnerability? Ensure all corporate Android devices are running the latest security patch level. Implement MDM policies that enforce patch compliance. For business-critical apps, conduct regular DAST (Dynamic Application Security Testing) to identify overlay and UI spoofing risks.
Q: How does CERT-In advise organizations to handle Android OS vulnerabilities? CERT-In regularly issues advisories for critical Android vulnerabilities and recommends organizations patch within 30 days of advisory publication. CERT-In advisories are available at cert-in.org.in and should be monitored by any organization managing Android devices.