CVE-2019-15334

Vulnerability

The Lava Iris 88 Go Android device (build fingerprint LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys) ships with a pre-installed application identified by package name com.android.lava.powersave (versionCode=400, versionName=v4.0.27). This app exposes an exported interface that allows any co-located application to programmatically disable or enable Wi-Fi without requiring the corresponding android.permission.CHANGE_WIFI_STATE permission [1].

Exploitation

An attacker needs only the ability to install and execute a third-party app on the same device. No additional permissions, user interaction, or special network position is required. The malicious app can invoke the exported interface of the com.android.lava.powersave app to toggle the Wi-Fi state at will [1].

Impact

A successful exploit enables an unprivileged app to control the device's Wi-Fi connectivity. This can be used to disrupt network access, force the device onto cellular data (potentially incurring costs), or create conditions for other attacks (e.g., man-in-the-middle by disabling Wi-Fi when the user expects it to be active). The attacker gains no code execution or data access directly, but the ability to manipulate Wi-Fi state violates the Android permission model and can degrade user experience and security [1].

Mitigation

As of the publication date (2019-11-14), no official fix or updated firmware has been announced by Lava for the Iris 88 Go. Users are advised to uninstall or disable the com.android.lava.powersave app if possible, or to avoid installing untrusted applications that could exploit this interface. The device may be end-of-life; no patch is available in the referenced sources [1].