CVE-2019-15358

Vulnerability

The Dexp Z250 Android device (build fingerprint DEXP/Z250/Z250:8.1.0/O11019/1531130719:user/release-keys) includes a pre-installed app with package name com.mediatek.wfo.impl (versionCode=27, versionName=8.1.0). This app exposes an interface that allows any other app installed on the same device to modify a system property without proper authorization. The vulnerability exists because the exported interface does not enforce permissions or user interaction [1].

Exploitation

An attacker needs only to have any app co-located on the device; no special permissions or user interaction are required. The attacker's app can invoke the exported interface of com.mediatek.wfo.impl to modify a targeted system property, as the interface is accessible without any authorization check [1].

Impact

Successful exploitation allows the attacker's app to alter a system property, which could lead to changes in device behavior or security posture. This could potentially enable further attacks, such as privilege escalation or bypassing security controls, depending on the specific property modified [1].

Mitigation

As of the publication date (2019-11-14), no official patch or workaround has been publicly disclosed. Users are advised to remove or disable the app if possible, or to minimize installation of untrusted applications. The device may no longer receive security updates [1].