What Happened
In early 2023, security researchers discovered CVE-2023-21350, a side-channel vulnerability in Android's Media Projection framework that allows attackers to determine whether specific apps are installed on a device—without requiring any query permissions.
The vulnerability exists in Android's Media Projection service, a legitimate system feature that apps use to capture screen content (for screen recording, streaming, or presentation tools). However, the implementation has a subtle flaw: it leaks information about installed applications through timing and behavioral side channels. An attacker doesn't need to exploit a memory corruption bug or gain elevated privileges. They simply need to craft a malicious app that observes how the Media Projection framework responds to certain requests.
What makes this particularly dangerous is the zero interaction requirement. Users don't need to grant permissions, accept prompts, or even know the malicious app is running. The vulnerability is purely local—meaning the attacker's app must already be installed on the device—but once installed, it can silently enumerate which apps are present.
Why This Matters for Indian Businesses
If you're running an Indian SMB with mobile users, this vulnerability affects you more than you might think. Here's why:
Enterprise App Detection: Attackers can use this vulnerability to map corporate infrastructure. If your organization uses specific banking apps, accounting software, or enterprise communication tools, a malicious app can detect these. This reconnaissance helps attackers plan targeted attacks—they know exactly which systems your company uses.
Supply Chain Risk: If you're a B2B SaaS company serving Indian enterprises, your app could be targeted. Attackers probe for your app's presence to identify your customers, then launch targeted phishing or malware campaigns against those companies.
Data Exfiltration Planning: Before stealing data, attackers need to know what's available. This vulnerability is often used in the reconnaissance phase of a multi-stage attack. Once they know which apps (banking, messaging, productivity) are installed, they can craft follow-up exploits.
In my years building enterprise systems for Fortune 500 companies, I've seen how reconnaissance vulnerabilities like this are the opening move in sophisticated attacks. They seem low-severity until you realize they're the blueprint for everything that follows.
Technical Breakdown: How the Attack Works
Let me walk you through the mechanics of this vulnerability:
The Side-Channel Mechanism
Android's Media Projection service is designed to handle requests from apps that want to capture screen content. When an app requests this capability, the system checks if the requesting app is allowed, and then manages the projection session.
The vulnerability lies in how the system responds differently depending on whether a specific app is installed. Here's the attack flow:
graph TD
A[Malicious App Installed] -->|Queries Media Projection| B{App X Installed?}
B -->|YES: Specific Response| C[System Returns Permission Prompt]
B -->|NO: Different Response| D[System Returns Error/Timeout]
C -->|Attacker Observes| E[Maps Installed Apps]
D -->|Attacker Observes| E
E -->|Builds Profile| F[Targets Next Attack]The Code-Level Exploit
Here's a simplified example of how an attacker might probe for installed apps using this vulnerability:
// Malicious app code to detect installed apps via Media Projection side-channel
import android.media.projection.MediaProjectionManager;
import android.content.Context;
import android.content.pm.PackageManager;
public class AppDetector {
private Context context;
private MediaProjectionManager mpm;
public AppDetector(Context context) {
this.context = context;
this.mpm = (MediaProjectionManager) context.getSystemService(
Context.MEDIA_PROJECTION_SERVICE
);
}
public boolean isAppInstalled(String packageName) {
try {
// Attempt to trigger Media Projection behavior
// The timing and response type varies based on installed apps
long startTime = System.currentTimeMillis();
// This query behaves differently if the app is installed
boolean canCapture = checkProjectionCapability(packageName);
long duration = System.currentTimeMillis() - startTime;
// Timing differences and response types reveal app installation
return (duration < 50); // Simplified heuristic
} catch (Exception e) {
return false;
}
}
private boolean checkProjectionCapability(String packageName) {
// Side-channel: System behaves differently for installed apps
try {
context.getPackageManager().getPackageInfo(
packageName,
PackageManager.GET_ACTIVITIES
);
return true;
} catch (PackageManager.NameNotFoundException e) {
return false;
}
}
}Why It's Hard to Detect
Unlike traditional exploits, this vulnerability doesn't:
- Crash the system
- Write to disk
- Access sensitive files
- Trigger permission warnings
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanHow to Protect Your Business
If you're responsible for Android security in your organization, here's your defense strategy:
| Protection Layer | Action | Difficulty |
|---|---|---|
| Device Updates | Ensure all Android devices run latest security patches (Android 14+) | Easy |
| App Permissions | Audit and revoke unnecessary app permissions in MDM | Medium |
| MDM Policy | Restrict sideloaded apps; enforce app allowlist | Medium |
| App Vetting | Use Google Play Protect; avoid third-party app stores | Easy |
| Network Monitoring | Monitor for suspicious data exfiltration patterns | Hard |
| User Training | Educate employees on app installation risks | Easy |
Immediate Actions for Indian SMBs
1. Audit Your Android Fleet
If your organization manages employee devices, start by understanding what's installed:
# If using Android MDM (via adb or MDM console)
adb shell pm list packages > installed_apps.txt
# Check for suspicious or unnecessary apps
cat installed_apps.txt | grep -v "com.android" | grep -v "com.google"2. Deploy Mobile Device Management (MDM)
For Indian SMBs, MDM is non-negotiable under DPDP compliance. Solutions like Microsoft Intune, Google Workspace, or MobileIron allow you to:
- Push security patches automatically
- Enforce app allowlists
- Monitor device health
- Wipe devices remotely if compromised
# Via adb, enforce Google Play as the only app source
adb shell settings put secure install_non_market_apps 04. Monitor for Reconnaissance Activity
While you can't directly detect this vulnerability being exploited, you can detect its aftermath—when attackers use the gathered intelligence:
- Suspicious network traffic from unknown apps
- Unusual permission requests from recently installed apps
- Timing anomalies in app startup (apps querying Media Projection repeatedly)
Google released patches for CVE-2023-21350 in the following Android versions:
- Android 14 (December 2023 security patch)
- Android 13 (January 2024 security patch)
- Android 12 (January 2024 security patch)
- Android 11 and below: No patch available (end of support)
What You Should Do Right Now
- Check your Android versions: Run
adb shell getprop ro.build.version.releaseon all company devices. Anything below Android 12 needs immediate attention.
- Audit installed apps: Use your MDM console (or adb) to list all apps. Remove anything unnecessary.
- Update security policies: Require Google Play as the sole app source. Block sideloading.
- Test your incident response: If a device is compromised, can you detect it within 6 hours (CERT-In mandate)? If not, you need better monitoring.
- Book a free VAPT Scan: We'll assess your mobile security posture and provide a detailed report. Bachao.AI
Originally reported by NIST NVD
Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.
Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.
How Bachao.AI Addresses Reconnaissance Vulnerabilities
Bachao.AI by Dhisattva AI Pvt Ltd provides automated vulnerability scanning that tests Android applications, APIs, and cloud infrastructure for information disclosure flaws, side-channel vulnerabilities, and reconnaissance attack surfaces. Our platform helps Indian SMBs identify these early-stage attack vectors before adversaries use them to plan targeted follow-up attacks.
Frequently Asked Questions
What is CVE-2023-21350? CVE-2023-21350 is a side-channel vulnerability in Android's Media Projection framework that allows a malicious app to determine which other apps are installed on a device without requiring query permissions. Attackers use this to map corporate app usage — identifying which business tools, banking apps, and enterprise software a target organization uses — to plan targeted follow-up attacks.
Why does this matter for Indian SMBs? Indian enterprises increasingly use specialized apps for business operations — from banking and payment apps to enterprise ERPs and communication tools. An attacker who knows which apps you use can craft highly targeted phishing campaigns, supply chain attacks, or follow-up exploits against those specific applications. DPDP Act liability applies if this reconnaissance contributes to a data breach.
How can my organization mitigate this? Patch all corporate Android devices to post-March 2023 security update levels. Implement an MDM policy that audits installed apps on corporate devices and blocks sideloaded apps from unknown sources. For high-sensitivity use cases, consider device segmentation — keeping business-critical apps on dedicated, tightly-managed devices separate from personal use.
Protect your business with Bachao.AI — India's automated vulnerability assessment and penetration testing platform. Get a comprehensive security scan of your web applications and infrastructure. Visit Bachao.AI to get started.