CVE-2019-15339

Vulnerability

The Lava Z60s Android device (build fingerprint LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys) ships with a pre-installed package named com.android.lava.powersave (versionCode=400, versionName=v4.0.27). This app exposes an exported interface that allows any other application residing on the same device to programmatically disable or enable Wi-Fi without requiring the corresponding android.permission.CHANGE_WIFI_STATE permission [1].

Exploitation

An attacker needs only the ability to install a malicious app on the device (or a co-located app with code execution). The attacker can invoke the exported interface exposed by the com.android.lava.powersave app to toggle the Wi-Fi state without any additional permissions or user interaction [1].

Impact

A successful exploit allows a malicious app to arbitrarily disable or enable the device's Wi-Fi. This can be used to force the device onto cellular data (increasing data usage or potential for eavesdropping) or to disrupt connectivity. The attacker gains no other privileges on the device, but the behavior violates Android's permission model and can be leveraged in combination with other attacks.

Mitigation

As of the latest available reference [1], no official fix or updated version has been disclosed for this issue. Users should uninstall or disable the com.android.lava.powersave app if possible, or restrict installations to trusted sources. The device may be at end-of-life (EOL). This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.