What is the Android Framework?
The Android Framework is the core Java-layer software stack that all Android apps run within — it provides system services, inter-process communication, permission management, and the lifecycle management of activities, services, and components. A key security boundary in Android is the enforced separation between apps with different permission levels and between apps and system services. The Framework's WorkSource class is used to attribute CPU and battery usage to specific apps; it is serialized and deserialized via Android's Parcel mechanism when passed between processes. Bugs in Parcel deserialization have historically been a source of type confusion exploits that bypass Android's permission model.
Overview
CVE-2023-20963 is a privilege escalation vulnerability in the Android Framework that allows a locally-installed application with standard permissions to escalate privileges when the app updates to a higher Target SDK version. The vulnerability was patched in the March 2023 Android Security Bulletin. It became notable when Google suspended the Pinduoduo shopping app from the Google Play Store in March 2023 after security researchers found that versions of the app distributed outside of Play exploited this and other Android vulnerabilities to gain persistent elevated access on users' devices.
Affected Versions
| Product | Affected | Fixed |
|---|---|---|
| Android 11 | Yes | March 2023 Security Patch Level |
| Android 12 / 12L | Yes | March 2023 Security Patch Level |
| Android 13 | Yes | March 2023 Security Patch Level |
Android devices running security patch levels before March 2023 on these Android versions remain vulnerable.
Technical Details
Android's targetSdkVersion in an app's manifest controls which compatibility behaviors and permission checks the system applies to that app. When an app updates to a higher targetSdkVersion, the Framework applies new permission restrictions — but CVE-2023-20963 allows the elevation to bypass intended privilege boundaries during this update process. The vulnerability involves the Android Framework's handling of WorkSource objects: improperly validated object types passed through the Parcel serialization mechanism allow an app to trigger unintended behavior in privileged system components, gaining access to operations or resources that should require additional permissions.
The result is that an app with standard user-level permissions can perform actions reserved for system-level components — including accessing protected data, modifying system settings, or installing additional packages without user consent.
Discovery
The vulnerability was addressed in the March 2023 Android Security Bulletin. Exploitation in the wild was identified by multiple security firms — including Lookout and ESET — who analyzed Pinduoduo app binaries distributed through channels other than Google Play. These versions contained code that exploited CVE-2023-20963 and other Android vulnerabilities to gain persistent elevated access on user devices, exfiltrate data, and install additional components without user knowledge.
Exploitation Context
The Pinduoduo case is one of the rare instances of a major commercial app distributed via official channels being found to contain malicious functionality. The Play Store version of Pinduoduo was not confirmed to contain the exploit code — but versions distributed through third-party channels in China (where Google Play is unavailable) did. Google suspended Pinduoduo's Play Store listing on March 21, 2023 pending investigation. Multiple security researchers (including those at Lookout) confirmed that the non-Play versions of the app exploited CVE-2023-20963 to gain persistent root-equivalent access to user devices.
The CVE also fits the pattern of Android Framework vulnerabilities used by mobile threat actors to bypass Android's permission model — a necessary step for mobile surveillance tools that need access to protected resources like location history, microphone, contacts, and SMS without the user granting permissions.
Remediation
- Apply the March 2023 Android Security Patch Level — update affected Android devices through the device manufacturer's OTA update mechanism.
- Check that your device's security patch level is 2023-03-01 or later — verify in Settings → About Phone → Android Security Patch Level.
- Install apps only from Google Play or trusted enterprise app stores — apps distributed outside Play may use vulnerabilities like CVE-2023-20963 to gain unauthorized access.
- Enable Google Play Protect — scans for malicious apps and behavioral indicators of post-exploit activity.
- Contact your device manufacturer if your device hasn't received March 2023 patches — some older Android devices may not receive security updates and should be considered for replacement.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-20963 |
| Vendor / Product | Android — Framework |
| NVD Published | 2023-03-24 |
| NVD Last Modified | 2025-10-23 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-295 find similar ↗ |
| CISA KEV Added | 2023-04-13 |
| CISA KEV Deadline | 2023-05-04 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-03-06 | Android Security Bulletin for March 2023 published — CVE-2023-20963 patched |
| 2023-03-21 | Google suspends Pinduoduo from the Google Play Store after security researchers identify malicious versions of the app exploiting Android vulnerabilities including CVE-2023-20963 to gain persistent elevated access |
| 2023-03-24 | CVE-2023-20963 formally published |
| 2023-04-13 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2023-05-04 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Android Security Bulletin — March 2023 | Vendor Advisory |
| NVD — CVE-2023-20963 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |