CVE-2019-15338

Vulnerability

The Lava Iris 88 Lite Android device (build fingerprint LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys) includes a pre-installed package com.android.lava.powersave (versionCode=400, versionName=v4.0.27). This app exposes an exported interface that allows any other app co-located on the device to programmatically disable or enable Wi-Fi without holding the corresponding android.permission.CHANGE_WIFI_STATE permission [1].

Exploitation

An attacker needs only a malicious app installed on the same device (no special network position, authentication, or user interaction required). The malicious app can invoke the exported interface of com.android.lava.powersave to toggle Wi-Fi state arbitrarily, without the victim's awareness or consent [1].

Impact

The attacker can disable Wi-Fi to disrupt connectivity (e.g., force the device onto mobile data, potentially incurring data costs) or enable Wi-Fi to expose the device to nearby networks. This manipulation occurs at the system level, without the user's knowledge, and does not require any privileges beyond app installation [1].

Mitigation

No official fix is disclosed in the available references. Users should remove or disable the com.android.lava.powersave package if possible, or restrict which apps can interact with it via Android's permission controls. The vendor (Lava) has not published a patch or acknowledged the issue as of the publication date [1].