CVE-2019-15369

Vulnerability

The Lava Z61 Turbo Android device (build fingerprint LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys) ships with a pre-installed app identified by package name com.mediatek.wfo.impl (versionCode=27, versionName=8.1.0). This app exposes an exported interface that permits any other application co-located on the same device to modify a system property without proper authorization checks [1]. No special permissions are required to invoke the interface, making the property writable by apps with no initial privileges.

Exploitation

An attacker requires only the ability to install a malicious or otherwise untrusted app on the device (for example, through social engineering or a drive-by download). Once the rogue app is installed, it can call the exported interface of com.mediatek.wfo.impl without any additional user interaction or authentication. The app can then modify a system property, which may alter device behavior or security settings. The attack does not require root access or physical possession of the device.

Impact

Successful exploitation grants the attacker the ability to change a system property, potentially leading to modification of security-critical device configurations. Depending on the property targeted, this could result in denial of service, elevation of privilege, or circumvention of security controls. The impact is limited to the scope of properties accessible through the interface but can have systemic effects on device operation.

Mitigation

As of the publication date (2019-11-14), no official patch or fixed version has been announced for the Lava Z61 Turbo. Users are advised to exercise caution when installing third-party applications and to monitor for firmware updates from Lava. The device may be at end-of-life status, and no workaround is available. The vulnerability has not been listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.