CVE-2019-15337

Vulnerability

The Lava Z81 device (build fingerprint LAVA/Z81/Z81:8.1.0/O11019/1532317309:user/release-keys) includes a pre-installed app with package name com.android.lava.powersave, version v4.0.31 (versionCode=400). This app exposes an exported interface that allows any other application co-located on the device to programmatically disable or enable Wi-Fi without requiring the android.permission.CHANGE_WIFI_STATE permission. [1]

Exploitation

An attacker only needs to have any app installed on the same device. No special privileges or user interaction are required. The attacker’s app can simply invoke the exported interface of the com.android.lava.powersave app to toggle the Wi-Fi state on or off.

Impact

A malicious or otherwise untrusted app can disable or enable Wi-Fi without the user's knowledge or consent. This could be used to disrupt network connectivity, deny service, or prepare the device for further attacks that depend on the Wi-Fi state.

Mitigation

As of the publication date (2019-11-14), no official patch has been disclosed in the available references. Users may consider uninstalling or disabling the com.android.lava.powersave app if possible, or switching to a custom ROM that removes this pre-installed app. The vulnerability is not known to be listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.