CVE-2019-15333

Vulnerability

The Lava Flair Z1 Android device (build fingerprint LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keys) includes a pre-installed app with package name com.android.lava.powersave (versionCode=400, versionName=v4.0.27). This app exposes an exported interface that allows any co-located app to programmatically disable or enable Wi-Fi without requiring the corresponding ACCESS_WIFI_STATE or CHANGE_WIFI_STATE permissions [1].

Exploitation

An attacker needs only to have any app installed on the device (no special permissions required). The malicious app can invoke the exported interface of the Power Save app to toggle Wi-Fi on or off. No user interaction or additional privileges are needed beyond app installation.

Impact

An attacker can disable Wi-Fi, potentially disrupting network connectivity and forcing the device onto cellular data, or enable Wi-Fi to connect to a malicious network. This could lead to denial of service or facilitate man-in-the-middle attacks if the device connects to an attacker-controlled Wi-Fi network. The attacker does not gain elevated privileges but can affect network state.

Mitigation

As of the publication date (2019-11-14), no official patch has been disclosed. Users should uninstall or disable the com.android.lava.powersave app if possible, or restrict its permissions. The device may be end-of-life; users are advised to consider replacing the device if no update is provided.