CVE-2021-0988 in Android
Summary
by MITRE • 12/15/2021
In getLaunchedFromUid and getLaunchedFromPackage of ActivityClientController.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-191954233
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/18/2021
This vulnerability exists in Android 12's ActivityClientController.java component where the getLaunchedFromUid and getLaunchedFromPackage methods expose side channel information that allows unauthorized determination of application installation status. The flaw stems from insufficient access control mechanisms that permit information disclosure through indirect means rather than direct querying of package information. Attackers can exploit this weakness to infer whether specific applications are installed on the device without requiring explicit query permissions or additional privileges, effectively creating a covert channel for reconnaissance activities.
The technical implementation of this vulnerability involves the improper handling of application launch context information within the Android framework. When applications attempt to determine launch origins through these methods, the system inadvertently reveals information about installed packages through timing variations, memory access patterns, or other observable side channel characteristics. This represents a classic information disclosure vulnerability where the system's response behavior itself provides actionable intelligence about the device's software environment. The vulnerability aligns with CWE-200 (Information Exposure) and potentially CWE-310 (Cryptographic Issues) when considering the side channel aspects.
The operational impact of this vulnerability extends beyond simple information gathering as it enables sophisticated reconnaissance attacks that can map application landscapes without user interaction. An attacker could systematically test for the presence of specific applications by monitoring the side channel responses, potentially identifying sensitive applications or those with known vulnerabilities. This capability significantly reduces the attack surface for subsequent exploitation attempts, as attackers can prioritize their efforts on targets that are actually present on the device rather than conducting broad, inefficient scans.
Mitigation strategies should focus on implementing proper access controls and eliminating the information leakage through the affected methods. Android security patches should ensure that getLaunchedFromUid and getLaunchedFromPackage methods do not expose installation status information through side channels. Organizations should apply the latest security updates immediately and consider implementing additional monitoring for unusual access patterns that might indicate exploitation attempts. From an ATT&CK framework perspective, this vulnerability relates to T1069.001 (Permission Groups) and T1592 (Gather Victim Host Information) as it enables attackers to collect host information without proper authorization. The vulnerability demonstrates how seemingly benign system functionality can create security risks when proper isolation and access control mechanisms are not properly implemented.