CVE-2019-15374

Vulnerability

The Lava Iris 88 Lite Android device (build fingerprint LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys) includes a pre-installed application with package name com.mediatek.wfo.impl (versionCode=27, versionName=8.1.0). This app exposes an interface that allows any other application co-located on the device to modify a system property, without requiring proper authorization. The vulnerability exists because the exported component does not enforce any permission checks.

Exploitation

To exploit this vulnerability, an attacker needs only the ability to run a malicious app on the same device (i.e., no special privileges or network position). The malicious app can invoke the exported interface of com.mediatek.wfo.impl to arbitrarily change system properties. The attack requires no user interaction beyond installing the malicious app.

Impact

A successful attack allows the malicious application to alter system properties, which can lead to privilege escalation. Depending on the property modified, the attacker may be able to change device behavior or security settings, potentially gaining elevated access or causing persistent compromise [1]. The exact CIA outcome may vary but the core impact is unauthorized modification of system-level settings.

Mitigation

As of the publication date (2019-11-14), no official patch or firmware update has been announced for the Lava Iris 88 Lite [1]. Users are advised to limit app installations to trusted sources and consider enabling Google Play Protect. If the device is no longer supported, replacing the device may be the only reliable mitigation.