CVE-2023-21350 lets Android apps detect installed software without permissions, enabling targeted recon on Indian SMBs. Learn to reduce your mobile attack surface.

CVE-2023-21350: How Android Apps Leak Installation Data

What Happened

In early 2023, security researchers discovered CVE-2023-21350, a side-channel vulnerability in Android's Media Projection framework that allows attackers to determine whether specific apps are installed on a device—without requiring any query permissions.

The vulnerability exists in Android's Media Projection service, a legitimate system feature that apps use to capture screen content (for screen recording, streaming, or presentation tools). However, the implementation has a subtle flaw: it leaks information about installed applications through timing and behavioral side channels. An attacker doesn't need to exploit a memory corruption bug or gain elevated privileges. They simply need to craft a malicious app that observes how the Media Projection framework responds to certain requests.

What makes this particularly dangerous is the zero interaction requirement. Users don't need to grant permissions, accept prompts, or even know the malicious app is running. The vulnerability is purely local—meaning the attacker's app must already be installed on the device—but once installed, it can silently enumerate which apps are present.

CVSS Score5.5 (Medium)

Attack VectorLocal

Privileges RequiredNone

User InteractionNot Required

ImpactInformation Disclosure

Why This Matters for Indian Businesses

If you're running an Indian SMB with mobile users, this vulnerability affects you more than you might think. Here's why:

Enterprise App Detection: Attackers can use this vulnerability to map corporate infrastructure. If your organization uses specific banking apps, accounting software, or enterprise communication tools, a malicious app can detect these. This reconnaissance helps attackers plan targeted attacks—they know exactly which systems your company uses.

Supply Chain Risk: If you're a B2B SaaS company serving Indian enterprises, your app could be targeted. Attackers probe for your app's presence to identify your customers, then launch targeted phishing or malware campaigns against those companies.

Data Exfiltration Planning: Before stealing data, attackers need to know what's available. This vulnerability is often used in the reconnaissance phase of a multi-stage attack. Once they know which apps (banking, messaging, productivity) are installed, they can craft follow-up exploits.

In my years building enterprise systems for Fortune 500 companies, I've seen how reconnaissance vulnerabilities like this are the opening move in sophisticated attacks. They seem low-severity until you realize they're the blueprint for everything that follows.

⚠️

WARNING

An attacker can silently enumerate your users' installed apps without permission—and use that information to plan targeted attacks on your organization.

Technical Breakdown: How the Attack Works

Let me walk you through the mechanics of this vulnerability:

The Side-Channel Mechanism

Android's Media Projection service is designed to handle requests from apps that want to capture screen content. When an app requests this capability, the system checks if the requesting app is allowed, and then manages the projection session.

The vulnerability lies in how the system responds differently depending on whether a specific app is installed. Here's the attack flow:

graph TD
    A[Malicious App Installed] -->|Queries Media Projection| B{App X Installed?}
    B -->|YES: Specific Response| C[System Returns Permission Prompt]
    B -->|NO: Different Response| D[System Returns Error/Timeout]
    C -->|Attacker Observes| E[Maps Installed Apps]
    D -->|Attacker Observes| E
    E -->|Builds Profile| F[Targets Next Attack]

The Code-Level Exploit

Here's a simplified example of how an attacker might probe for installed apps using this vulnerability:

java

// Malicious app code to detect installed apps via Media Projection side-channel
import android.media.projection.MediaProjectionManager;
import android.content.Context;
import android.content.pm.PackageManager;

public class AppDetector {
    private Context context;
    private MediaProjectionManager mpm;
    
    public AppDetector(Context context) {
        this.context = context;
        this.mpm = (MediaProjectionManager) context.getSystemService(
            Context.MEDIA_PROJECTION_SERVICE
        );
    }
    
    public boolean isAppInstalled(String packageName) {
        try {
            // Attempt to trigger Media Projection behavior
            // The timing and response type varies based on installed apps
            long startTime = System.currentTimeMillis();
            
            // This query behaves differently if the app is installed
            boolean canCapture = checkProjectionCapability(packageName);
            
            long duration = System.currentTimeMillis() - startTime;
            
            // Timing differences and response types reveal app installation
            return (duration < 50); // Simplified heuristic
            
        } catch (Exception e) {
            return false;
        }
    }
    
    private boolean checkProjectionCapability(String packageName) {
        // Side-channel: System behaves differently for installed apps
        try {
            context.getPackageManager().getPackageInfo(
                packageName, 
                PackageManager.GET_ACTIVITIES
            );
            return true;
        } catch (PackageManager.NameNotFoundException e) {
            return false;
        }
    }
}

Why It's Hard to Detect

Unlike traditional exploits, this vulnerability doesn't:

Crash the system
Write to disk
Access sensitive files
Trigger permission warnings

It simply observes the normal behavior of the Media Projection service and infers information from that behavior. Standard security tools miss it because there's no malicious system call—just clever observation.

🛡️

SECURITY

This is a passive information disclosure vulnerability. The attacker learns without leaving obvious forensic traces.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

How to Protect Your Business

If you're responsible for Android security in your organization, here's your defense strategy:

Protection Layer	Action	Difficulty
Device Updates	Ensure all Android devices run latest security patches (Android 14+)	Easy
App Permissions	Audit and revoke unnecessary app permissions in MDM	Medium
MDM Policy	Restrict sideloaded apps; enforce app allowlist	Medium
App Vetting	Use Google Play Protect; avoid third-party app stores	Easy
Network Monitoring	Monitor for suspicious data exfiltration patterns	Hard
User Training	Educate employees on app installation risks	Easy

Immediate Actions for Indian SMBs

1. Audit Your Android Fleet

If your organization manages employee devices, start by understanding what's installed:

bash

# If using Android MDM (via adb or MDM console)
adb shell pm list packages > installed_apps.txt

# Check for suspicious or unnecessary apps
cat installed_apps.txt | grep -v "com.android" | grep -v "com.google"

2. Deploy Mobile Device Management (MDM)

For Indian SMBs, MDM is non-negotiable under DPDP compliance. Solutions like Microsoft Intune, Google Workspace, or MobileIron allow you to:

Push security patches automatically
Enforce app allowlists
Monitor device health
Wipe devices remotely if compromised

3. Enable Strict App Store Settings

bash

# Via adb, enforce Google Play as the only app source
adb shell settings put secure install_non_market_apps 0

💡

TIP

Set a MDM policy requiring Google Play as the sole app source. This single setting blocks ~90% of malicious Android apps.

4. Monitor for Reconnaissance Activity

While you can't directly detect this vulnerability being exploited, you can detect its aftermath—when attackers use the gathered intelligence:

Suspicious network traffic from unknown apps
Unusual permission requests from recently installed apps
Timing anomalies in app startup (apps querying Media Projection repeatedly)

5. Patch Timeline

Google released patches for CVE-2023-21350 in the following Android versions:

Android 14 (December 2023 security patch)
Android 13 (January 2024 security patch)
Android 12 (January 2024 security patch)
Android 11 and below: No patch available (end of support)

🎯Key Takeaway

For Android devices running Android 11 or earlier: These devices cannot be patched. If employees use Android 11 devices, consider mandatory device replacement or strict isolation policies (no sensitive data access).

What You Should Do Right Now

Check your Android versions: Run adb shell getprop ro.build.version.release on all company devices. Anything below Android 12 needs immediate attention.

Audit installed apps: Use your MDM console (or adb) to list all apps. Remove anything unnecessary.

Update security policies: Require Google Play as the sole app source. Block sideloading.

Test your incident response: If a device is compromised, can you detect it within 6 hours (CERT-In mandate)? If not, you need better monitoring.

Book a free VAPT Scan: We'll assess your mobile security posture and provide a detailed report. Bachao.AI

Originally reported by NIST NVD

Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.

How Bachao.AI Addresses Reconnaissance Vulnerabilities

Bachao.AI by Dhisattva AI Pvt Ltd provides automated vulnerability scanning that tests Android applications, APIs, and cloud infrastructure for information disclosure flaws, side-channel vulnerabilities, and reconnaissance attack surfaces. Our platform helps Indian SMBs identify these early-stage attack vectors before adversaries use them to plan targeted follow-up attacks.

35%YoY increase in SMB cyberattacks in India (CERT-In Annual Report 2024)

73%Indian SMBs that have never conducted a formal security audit (DSCI 2024)

⚠️

WARNING

Information disclosure vulnerabilities like CVE-2023-21350 are often dismissed as "low severity," but they are the reconnaissance step that enables high-severity follow-up attacks. Indian SMBs using enterprise apps on Android devices should treat app enumeration as a serious threat to their attack surface.

Frequently Asked Questions

What is CVE-2023-21350? CVE-2023-21350 is a side-channel vulnerability in Android's Media Projection framework that allows a malicious app to determine which other apps are installed on a device without requiring query permissions. Attackers use this to map corporate app usage — identifying which business tools, banking apps, and enterprise software a target organization uses — to plan targeted follow-up attacks.

Why does this matter for Indian SMBs? Indian enterprises increasingly use specialized apps for business operations — from banking and payment apps to enterprise ERPs and communication tools. An attacker who knows which apps you use can craft highly targeted phishing campaigns, supply chain attacks, or follow-up exploits against those specific applications. DPDP Act liability applies if this reconnaissance contributes to a data breach.

How can my organization mitigate this? Patch all corporate Android devices to post-March 2023 security update levels. Implement an MDM policy that audits installed apps on corporate devices and blocks sideloaded apps from unknown sources. For high-sensitivity use cases, consider device segmentation — keeping business-critical apps on dedicated, tightly-managed devices separate from personal use.

Protect your business with Bachao.AI — India's automated vulnerability assessment and penetration testing platform. Get a comprehensive security scan of your web applications and infrastructure. Visit Bachao.AI to get started.

CVE-2023-21350: How Android Apps Leak Installation Data

Bachao.AI Research Team

Get cybersecurity insights for Indian SMBs

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.