CVE-2019-15362

Vulnerability

The Lava Iris 88 Go Android device (build fingerprint LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys) includes a pre-installed app with package name com.mediatek.wfo.impl (versionCode=27, versionName=8.1.0). This app exposes an exported interface that allows any other app installed on the same device to modify a system property without proper authorization [1].

Exploitation

For exploitation, an attacker needs only to have any app co-located on the device. No additional permissions, user interaction, or special privileges are required. The malicious app can invoke the exported interface of the com.mediatek.wfo.impl app to modify a system property [1].

Impact

By modifying a system property, an attacker can alter device behavior or configuration, potentially leading to privilege escalation or persistent compromise. The exact impact depends on the specific property that can be modified, but it may allow elevation of privileges or bypass of security controls [1].

Mitigation

The vendor has not released a fix for this vulnerability. Users should consider replacing the device or removing the affected app if possible. This issue was disclosed in 2019 and is likely unpatched; the device may be end-of-life [1].