CVE-2019-15336

Vulnerability

The Lava Z61 Turbo device (build fingerprint LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys) ships with a pre-installed application com.android.lava.powersave (versionCode=400, versionName=v4.0.31). This app exposes an exported interface that allows any third-party application co-located on the device to programmatically disable or enable Wi-Fi functionality without requiring the corresponding android.permission.CHANGE_WIFI_STATE permission [1].

Exploitation

An attacker needs only to have an app installed on the same device; no special privileges, user interaction, or network position is required beyond sideloading or downloading a malicious application. The malicious app invokes the exported interface of the com.android.lava.powersave component, sending an intent to toggle the Wi-Fi state. The system processes the request without enforcing the standard permission check [1].

Impact

A malicious application can arbitrarily disable or enable the device's Wi-Fi connection. This can disrupt network access, potentially preventing the user from receiving updates or security patches, or facilitating a denial-of-service condition. The attacker does not gain elevated privileges, but the action can impact device connectivity and user experience [1].

Mitigation

As of the publication date (2019-11-14), no official patch or fixed version has been announced. Users may consider disabling or uninstalling the com.android.lava.powersave app if possible, or using a third-party firewall to block unauthorized access to the exported component. The device may be at end-of-life; users should evaluate replacing the device if security updates are no longer provided [1].