CVE-2021-0990 in Androidinfo

Summary

by MITRE • 12/15/2021

In getDeviceId of PhoneSubInfoController.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-185591180

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 12/18/2021

The vulnerability identified as CVE-2021-0990 resides within the Android operating system's PhoneSubInfoController.java component, specifically in the getDeviceId method implementation. This flaw represents a significant information disclosure issue that exploits side channel attack vectors to reveal application installation status without requiring explicit query permissions or user interaction. The vulnerability affects Android 12 systems and has been assigned the Android ID A-185591180, indicating its severity and classification within the Android security framework.

The technical mechanism behind this vulnerability involves the improper handling of device identification information that inadvertently leaks metadata about installed applications. When an application attempts to access device identification information through the getDeviceId method, the system's response pattern reveals subtle timing differences or memory access patterns that can be analyzed to determine whether specific applications are present on the device. This side channel information disclosure occurs because the system does not properly mask or normalize the response behavior when querying device identifiers, creating observable variations that correlate with application installation status. The vulnerability operates at the system level without requiring additional privileges, making it particularly concerning as it can be exploited by any application with basic device access permissions.

The operational impact of this vulnerability extends beyond simple information disclosure, as it creates potential pathways for malicious actors to build comprehensive profiles of device users. Attackers can leverage this weakness to determine which applications are installed on a target device, potentially enabling more sophisticated attacks such as application-specific exploitation, targeted phishing campaigns, or behavioral profiling. The vulnerability's accessibility means that any application running on the device can potentially exploit this weakness, creating a persistent threat vector that could be abused for surveillance or data collection purposes. This information disclosure capability undermines user privacy and can be particularly damaging in environments where device security is paramount, such as enterprise settings or applications handling sensitive data.

Mitigation strategies for CVE-2021-0990 should focus on implementing proper input sanitization and response normalization techniques within the PhoneSubInfoController component. System-level patches should ensure that device identifier queries return consistent responses regardless of application installation status, eliminating the side channel that enables information leakage. Organizations should prioritize updating to patched Android 12 releases that address this vulnerability, while also implementing network monitoring to detect potential exploitation attempts. The vulnerability aligns with CWE-200 (Information Exposure) and can be categorized under ATT&CK technique T1083 (File and Directory Discovery) and T1566 (Phishing) as it enables reconnaissance activities that can lead to more sophisticated attacks. Security teams should also consider implementing application whitelisting policies and monitoring for unusual device information queries that could indicate exploitation attempts.

Reservation

11/06/2020

Disclosure

12/15/2021

Moderation

accepted

CPE

ready

EPSS

0.00110

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!