CVE-2019-15335

Vulnerability

The Lava Z92 Android device (build fingerprint LAVA/Z92/Z92:8.1.0/O11019/1535088037:user/release-keys) ships with a pre-installed app identified by package name com.android.lava.powersave (versionCode=400, versionName=v4.0.27). This app exposes an exported interface that allows any other application co-located on the device to programmatically disable or enable Wi-Fi connectivity [1]. No special permissions are required to invoke this interface; the default Android permission model for Wi-Fi control is bypassed.

Exploitation

An attacker needs only to install a malicious or vulnerable app on the same device, or have an existing app that can reach the exported component. The malicious app can call the exported interface of com.android.lava.powersave without needing the CHANGE_WIFI_STATE or similar permission. No additional privileges, user interaction, or network access are required beyond the ability to execute code on the device.

Impact

A co-located app can arbitrarily toggle the device's Wi-Fi state. Disabling Wi-Fi could force the device onto cellular data (increasing costs or exposing the user to less secure networks), while enabling Wi-Fi could cause the device to connect to malicious or untrusted wireless networks. This represents a violation of the Android permission model and can degrade network security and user privacy.

Mitigation

Lava has not released a public patch for this vulnerability as of the publication date of 2019-11-14. The only mitigation is to remove or disable the offending app com.android.lava.powersave if the device allows it (e.g., via adb uninstall for technical users). Users should also avoid installing untrusted applications that could exploit this interface [1].