CVE-2019-15332

Vulnerability

The Lava Z61 Android device (build fingerprint LAVA/Z61_2GB/Z61_2GB:8.1.0/O11019/1533889281:user/release-keys) includes a pre-installed application with package name com.android.lava.powersave (versionCode=400, versionName=v4.0.27). This app exposes an exported interface that allows any co-located application to programmatically disable or enable Wi-Fi without requiring the corresponding android.permission.CHANGE_WIFI_STATE permission [1].

Exploitation

An attacker needs only to have any app installed on the same device that can invoke the exported interface of the com.android.lava.powersave app. No additional permissions or user interaction are required beyond app installation. The attacker's app can issue intents to the exported component, thereby toggling Wi-Fi state [1].

Impact

A malicious app can silently disable or enable the device's Wi-Fi connection. This could be used to disrupt network connectivity, potentially leading to denial of service, or to force the device onto a cellular network, increasing data usage or exposure to network-based attacks. The impact is limited to manipulation of Wi-Fi state; no further privilege escalation or data access is reported.

Mitigation

As of the available reference [1], no official fix or updated version has been disclosed for the com.android.lava.powersave app or the Lava Z61 firmware. Users are advised to uninstall or disable the com.android.lava.powersave app if possible, or to restrict its permissions via device settings. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.