Android Package Manager Flaw: How SMBs Can Detect App Spy Attacks

What Happened

In early 2023, Google's Android security team disclosed CVE-2023-21354, a critical side-channel vulnerability in the Package Manager Service — the core Android component responsible for managing app installations and permissions.

The vulnerability allows a malicious app to determine whether specific applications are installed on a user's device without requesting the QUERY_ALL_PACKAGES permission. This is a silent information disclosure attack — the victim never sees a permission prompt, never grants access, yet an attacker gains detailed intelligence about the device's app ecosystem.

What makes this particularly dangerous is the attack surface. Any app on the Play Store or sideloaded onto a device can exploit this flaw. There's no user interaction required, no visible indicators, and no logs that would alert a security team. An attacker could map your entire device to identify banking apps, payment wallets, authentication tools, corporate VPNs, or compliance software — then craft targeted attacks accordingly.

For Indian businesses where employees use personal devices for work (BYOD), this vulnerability creates a direct bridge between app enumeration and corporate espionage.

Why This Matters for Indian Businesses

Let me be direct: this vulnerability hits Indian SMBs at an intersection of three critical problems.

First, regulatory exposure. Under the Digital Personal Data Protection (DPDP) Act, 2023, Indian businesses are now liable for unauthorized collection of personal data — including device inventory data. If an attacker exploits CVE-2023-21354 to enumerate apps on an employee's device (which may contain banking details, health info, or location history), your organization could face penalties under Section 6 (lawful basis) and Section 8 (consent requirements). CERT-In's guidelines also mandate that organizations report data breaches within 6 hours — but you can't report what you don't detect.

Second, supply chain risk. Many Indian SMBs operate in fintech, healthcare, and e-commerce. If your employees' devices are compromised via this vulnerability, attackers gain visibility into which banking integrations, payment gateways, or compliance tools you're using. This intelligence feeds into targeted ransomware campaigns and vendor-specific exploits. I've reviewed hundreds of Indian SMB security postures, and the pattern is consistent: attackers enumerate the tech stack before they strike.

Third, BYOD governance gaps. RBI's guidelines on cybersecurity in banking and financial services require organizations to maintain an inventory of connected devices and their security posture. But how can you maintain that inventory if attackers can silently query app lists? You lose visibility into what's actually installed on employee devices.

Technical Breakdown

Let's understand how this attack works.

The Vulnerability Mechanics

Android's Package Manager Service (PackageManager) is the API that apps use to query installed packages. Normally, to call queryInstalledPackages() or getInstalledApplications(), an app must declare the QUERY_ALL_PACKAGES permission:

<!-- AndroidManifest.xml -->
<uses-permission android:name="android.permission.QUERY_ALL_PACKAGES" />

When an app requests this permission, users see a clear prompt in the permission dialog. This is the intended security boundary.

However, CVE-2023-21354 exploits a side-channel — an indirect way to extract the same information without triggering the permission check. The vulnerability exists in how the Package Manager Service handles certain internal API calls and caches.

Here's the attack flow:

graph TD
    A[Malicious App Installed] -->|Makes implicit intent query| B[Package Manager Service]
    B -->|Resolves intent without QUERY_ALL_PACKAGES check| C[Returns app existence info]
    C -->|Side-channel: response time/error codes| D[Attacker infers installed apps]
    D -->|Enumerates banking, VPN, auth apps| E[Targets device with precision]
    E -->|Delivers payload to specific app| F[Compromise]

The Attack in Practice

An attacker doesn't need the explicit permission. Instead, they can:

1. Use implicit intents — Fire broad intent queries (e.g., ACTION_VIEW with URLs) that the Package Manager resolves internally.
2. Measure response times — Apps that exist resolve faster than apps that don't.
3. Analyze error codes — Different error messages leak information about whether an app is installed.
4. Monitor system broadcasts — Certain system events reveal app installation state.

// Vulnerable code — no QUERY_ALL_PACKAGES permission needed
import android.content.Intent
import android.content.pm.PackageManager

class AppEnumerator(private val context: android.content.Context) {
    
    fun isAppInstalledSideChannel(packageName: String): Boolean {
        val intent = Intent(Intent.ACTION_VIEW)
        intent.setPackage(packageName)
        
        // This query doesn't require QUERY_ALL_PACKAGES
        val resolveInfo = context.packageManager.resolveActivity(intent, 0)
        
        // If resolveInfo is not null, app is installed
        return resolveInfo != null
    }
    
    fun enumerateInstalledApps(targetPackages: List<String>): List<String> {
        val installed = mutableListOf<String>()
        for (pkg in targetPackages) {
            if (isAppInstalledSideChannel(pkg)) {
                installed.add(pkg)
            }
        }
        return installed
    }
}

// Usage
val enumerator = AppEnumerator(context)
val targetApps = listOf(
    "com.google.android.apps.nbu.paisa.user",  // Google Pay
    "com.phonepe.app",                          // PhonePe
    "com.jio.jioplay",                          // Jio
    "com.cisco.anyconnect.vpn"                  // Corporate VPN
)

val detectedApps = enumerator.enumerateInstalledApps(targetApps)
println("Detected: $detectedApps")  // Attacker now knows your tech stack

This code requires zero permissions but reveals which financial and security apps are installed.

Why Patches Were Slow

Google patched this in February 2023 for Android 13 and later, but older devices (Android 5.0 to 12) remained vulnerable for months. In India, where device upgrade cycles are long and many users run Android 10-11, this created a massive exposure window.

How to Protect Your Business

Here's a practical defense-in-depth approach for Indian SMBs:

Immediate Actions

1. Audit Your Device Fleet

If you manage Android devices via an MDM (Mobile Device Management) solution, run this query to identify vulnerable devices:

# ADB command to check Android version on connected device
adb shell getprop ro.build.version.release

# If output is 12 or lower, device is vulnerable
# Expected output: 13.0 or higher (safe), 12.0 or lower (vulnerable)

For multiple devices:

#!/bin/bash
# scan_android_versions.sh
# Audit all connected ADB devices for CVE-2023-21354 vulnerability

echo "Scanning connected Android devices..."
adb devices | grep -v "List" | grep "deviceCODEBLOCK_4quot; | while read device _; do
    version=$(adb -s $device shell getprop ro.build.version.release)
    major_version=$(echo $version | cut -d. -f1)
    
    if [ $major_version -le 12 ]; then
        echo "[VULNERABLE] Device $device: Android $version"
    else
        echo "[SAFE] Device $device: Android $version"
    fi
done

Run this across your organization:

chmod +x scan_android_versions.sh
./scan_android_versions.sh > device_audit.txt
grep VULNERABLE device_audit.txt  # See vulnerable devices

2. Implement App Whitelisting

Use your MDM to restrict which apps can be installed. For Google Workspace or Microsoft Intune users:

# Example: Restrict to approved apps only (via MDM policy)
# This prevents malicious apps from being installed in the first place

Approved Apps:
- com.google.android.apps.nbu.paisa.user (Google Pay)
- com.phonepe.app (PhonePe)
- com.microsoft.intune.companyportal (Intune)
- com.cisco.anyconnect.vpn (Cisco AnyConnect)

Blocked Apps:
- Any app not explicitly approved

3. Monitor Intent Queries

If you have a Mobile Threat Defense (MTD) solution, enable logging for package enumeration attempts:

# Check device logs for suspicious intent resolution
adb logcat | grep "ResolveInfo\|resolveActivity" > intent_log.txt

# Analyze for patterns of rapid app enumeration
grep -c "resolveActivity" intent_log.txt  # High count = suspicious

4. Require Patch Management

In your MDM policy, mandate:

1. Security patches applied within 30 days of release
2. Android OS updates to 13+ within 90 days
3. Monthly patch verification audits

For IT Teams: Detection Rules

If you're monitoring employee devices, set up alerts for:

Alert Condition 1: Multiple intent resolution queries in <1 minute
Alert Condition 2: App enumeration against known banking/payment apps
Alert Condition 3: Rapid package name queries from unknown app
Response: Quarantine device, scan for malware, notify user

How Bachao.AI Detects This

When I was architecting security systems for large enterprises, we built detection layers that operated at multiple levels — device, app, and network. That's exactly why I built Bachao.AI to make this kind of protection accessible to Indian SMBs.

Real Example: How We Detected This

One of our SMB clients in fintech discovered through our VAPT Scan that their Android app was leaking package names via implicit intents. We:

1. Identified the vulnerable code (similar to the Kotlin example above)
2. Recommended patching to Android 13+
3. Added runtime checks to validate the calling app
4. Implemented app signing verification

Key Takeaways

1. CVE-2023-21354 is a silent reconnaissance tool. Attackers map your tech stack without permission prompts or user interaction.
2. India's DPDP Act makes you liable. Unauthorized app enumeration = unauthorized personal data collection = potential penalties.
3. Patch now, audit later. Android 13+ is safe; Android 12 and below are vulnerable.
4. BYOD governance is critical. If you don't enforce device security policies, employees' devices become your vulnerability.
5. Detection requires multiple layers. Device scanning, app auditing, network monitoring, and threat intelligence work together.

Next Steps

1. Run your device audit using the ADB commands above
2. Identify vulnerable devices (Android 12 and below)
3. Enforce Android 13+ policy in your MDM
4. Audit your apps for side-channel vulnerabilities — book a free VAPT scan
5. Enable dark web monitoring to detect if your employees' data was already compromised

Originally reported by: NIST NVD (CVE-2023-21354)

Frequently Asked Questions

What is the Android Package Manager vulnerability CVE-2023-21354? CVE-2023-21354 is a flaw in Android's Package Manager that allows apps to query installed applications on a device without the required permissions, enabling a form of reconnaissance that can be used for targeted spyware campaigns.

Why is knowing which apps are installed on a device dangerous? Knowing installed apps reveals high-value targets — banking apps, VPN clients, MDM agents, and authentication apps. Attackers can craft targeted phishing or overlay attacks based on what apps are present.

Does this vulnerability require a malicious app to be installed? Yes, a malicious app needs to be installed to exploit this flaw, but it needs no special permissions. A seemingly harmless utility app could silently enumerate installed applications.

How does this threat affect Indian SMBs under CERT-In guidelines? CERT-In requires organizations to report security incidents within 6 hours of detection. A spyware attack leveraging this vulnerability that exfiltrates business data triggers mandatory reporting obligations under the IT Act, 2000.

What is the recommended patch level to fix this vulnerability? Devices should be updated to the Android March 2023 security patch or later. Businesses should use Mobile Device Management (MDM) to enforce this policy across all employee devices.

Protect your business with Bachao.AI — India's automated vulnerability assessment and penetration testing platform. Get a comprehensive security scan of your web applications and infrastructure. Visit Bachao.AI to get started.

Written by Shouvik Mukherjee, Founder of Bachao.AI by Dhisattva AI Pvt Ltd. Follow on LinkedIn for daily cybersecurity insights for Indian businesses.