What Happened
In early 2023, security researchers discovered a side-channel vulnerability in Android's Game Manager Service (CVE-2023-21345) that allows any app on a device — even one with zero permissions — to discover which other apps are installed. This isn't just a minor privacy issue. In the hands of a sophisticated attacker, knowing what apps are installed is the first step toward a targeted, high-value attack.
The vulnerability exists in Google's Game Manager Service, a system component that manages gaming experiences on Android devices. Through improper access control, it leaks installation status information to processes that should have no access to it.
What makes this particularly concerning is the low barrier to exploitation. Unlike most Android vulnerabilities, this one requires no special permissions, no user interaction, and no elevated privileges. Any installed app can silently profile a device.
Originally reported by NIST NVD (National Vulnerability Database), this vulnerability affects Android devices across multiple versions.
Why This Matters for Indian Businesses
If you're running a mobile-first business in India — whether it's a fintech startup, e-commerce platform, healthcare app, or SaaS service — your users and employees rely on Android devices to access sensitive business data.
First, consider the DPDP Act (Digital Personal Data Protection Act) implications. The DPDP Act, which came into effect in November 2023, holds businesses accountable for protecting personal data on devices they're responsible for. If a reconnaissance attack leads to a targeted breach, you may face regulatory liability even if the vulnerability was in the OS.
Second, CERT-In's 6-hour vulnerability disclosure mandate means you have just 6 hours to report any security incident to the Indian government. Without continuous monitoring, you may miss exploitation attempts entirely.
Third, the RBI's cybersecurity framework for fintech and payment apps explicitly requires robust app-level security. A vulnerability in Android's core services that affects your payment app users puts you in violation of these guidelines.
In my years building enterprise systems for Fortune 500 companies, I saw how a single reconnaissance vulnerability could snowball into a full breach. Attackers don't announce themselves — they probe silently, map your defenses, and strike when you're least prepared.
Technical Breakdown
Let me walk you through exactly how this vulnerability works:
The Attack Flow
graph TD
A[Attacker App Installed — No special permissions] -->|Queries Game Manager Service| B[Side-Channel Information Leak]
B -->|Probes for specific app packages| C[Identifies Installed Apps without QUERY_ALL_PACKAGES]
C -->|Maps device profile: banking apps, security tools| D[Reconnaissance Complete]
D -->|Chains with phishing or other CVEs| E[Targeted Attack Launched]
style A fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style B fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style E fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0How It Works
The vulnerability exists because Game Manager Service doesn't properly validate whether the requesting process has permission to query app installation status. Here's the breakdown:
- Improper Access Control: The Game Manager Service exposes APIs that reveal app installation status without checking whether the caller has the
QUERY_ALL_PACKAGESpermission (which is restricted in Android 11+).
- Side-Channel Information Disclosure: By measuring response times, error codes, or system behavior, an attacker can determine whether specific packages are installed — without ever needing direct access.
- No Permission Check: Unlike standard Android APIs (
PackageManager.getInstalledPackages()), which require theQUERY_ALL_PACKAGESpermission in modern Android versions, this service bypass works pre-permission-check.
Vulnerable Code Pattern
Here's a simplified example of what vulnerable code might look like:
// VULNERABLE: No permission check before revealing app status
public boolean isGameInstalled(String packageName) {
// Missing: caller identity verification
// Missing: permission check for QUERY_ALL_PACKAGES
return packageManager.isPackageAvailable(packageName); // leaks info
}The Secure Fix
// SECURE: Check caller identity before leaking package info
public boolean isGameInstalled(String packageName, int callerUid) {
// Verify the caller has QUERY_ALL_PACKAGES permission
if (!hasPermission(callerUid, Manifest.permission.QUERY_ALL_PACKAGES)) {
throw new SecurityException("Caller lacks QUERY_ALL_PACKAGES permission");
}
return packageManager.isPackageAvailable(packageName);
}What Attackers Do With This Information
For Indian SMBs, this means your app could be fingerprinted by malware authors before your users even realize they're at risk.
An attacker who knows a target has specific apps installed can:
- Target banking app users: Know which bank to spoof in a phishing campaign
- Identify security tool presence: Avoid detection by disabling known AV apps first
- Profile wealth indicators: Detect premium financial apps to prioritize high-value targets
- Map BYOD policies: Understand corporate MDM or VPN apps to plan network attacks
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanHow to Protect Your Business
Step 1: Apply Security Updates
Ensure all devices are running Android security patches dated March 2023 or later. Google's fix restricts Game Manager Service to only respond to callers with appropriate permissions.
For enterprise device management:
# Check current patch level via ADB
adb shell getprop ro.build.version.security_patch
# Expected output: 2023-03-01 or laterStep 2: Implement App Hardening
If you develop Android apps, prevent your own app from being a reconnaissance target:
// Restrict which apps can query your app's installation status
// In AndroidManifest.xml:
// <uses-permission android:name="android.permission.QUERY_ALL_PACKAGES"
// tools:ignore="QueryAllPackagesPermission" />
// Instead, use specific package queries:
// <queries>
// <package android:name="com.your.partner.app" />
// </queries>Step 3: Deploy Mobile Device Management
For organizations managing employee devices, implement MDM policies that:
- Enforce minimum Android security patch levels (March 2023+)
- Restrict sideloading of untrusted applications
- Monitor for suspicious inter-process communication
- Alert on apps requesting unusual system service access
Step 4: Monitor for Exploitation
Detect reconnaissance attempts by monitoring Game Manager Service queries:
# Monitor for suspicious Game Manager queries
adb logcat | grep "PackageManager" | wc -lHow Bachao.AI Detects This Vulnerability
Bachao.AI by Dhisattva AI Pvt Ltd provides automated vulnerability assessment that checks for CVE-2023-21345 and similar side-channel vulnerabilities in your Android apps and infrastructure. Our platform scans for:
- Unprotected API endpoints that expose app installation status
- Missing permission validation in system service calls
- Side-channel vulnerabilities in response timing or error messages
- Overly broad manifest permissions that could be exploited
- Hardcoded app package names that aid reconnaissance
One fintech startup we worked with discovered through our VAPT scan that their payment app was exposing installation status to any co-installed app — a direct pathway for competitors or malicious actors to map their user base's financial behavior.
Action Items for This Week
- Update your Android devices to the latest security patch (March 2023 or later)
- Audit your app's manifest for unnecessary permissions
- Review code that queries app installation status
- Run a VAPT scan to identify similar vulnerabilities in your app
- Train your development team on secure permission handling
Frequently Asked Questions
What is CVE-2023-21345? CVE-2023-21345 is a side-channel information disclosure vulnerability in Android's Game Manager Service. It allows any installed app — regardless of its declared permissions — to silently discover which other apps are installed on the device, enabling attacker reconnaissance without triggering permission dialogs.
Why does this affect Indian SMBs specifically? Indian SMBs are particularly exposed because of the UPI ecosystem: knowing that a target has PhonePe, Google Pay, or a specific bank app installed lets an attacker craft highly convincing phishing lures. Combined with DPDP Act obligations, any resulting data breach creates direct regulatory liability.
How can my organization mitigate this risk?
Apply the March 2023 Android security patch to all employee devices immediately. For app developers, review your manifest permissions and use specific <queries> declarations instead of broad package queries. Deploy an MDM solution to enforce patch compliance, and run a VAPT scan to verify your apps aren't vulnerable to similar side-channel issues.
The Bottom Line
CVE-2023-21345 is a reminder that Android security vulnerabilities often begin with reconnaissance — not direct attacks. By allowing any app to map installed software, this vulnerability hands attackers a blueprint of your device's security posture.
For Indian SMBs operating in a DPDP Act and CERT-In regulatory environment, unpatched vulnerabilities aren't just technical risks — they're legal and financial liabilities.
Protect your business with Bachao.AI — India's automated vulnerability assessment and penetration testing platform. Get a comprehensive security scan of your web applications and infrastructure. Visit Bachao.AI to get started.
Originally reported by: NIST NVD (CVE-2023-21345)
References:
Written by Shouvik Mukherjee, Founder of Bachao.AI (Dhisattva AI Pvt Ltd). With 15+ years in enterprise systems and cybersecurity, Shouvik helps Indian SMBs protect their digital infrastructure.