CVE-2019-15386

Vulnerability

The Lava Z60s Android device (build fingerprint LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys) contains a pre-installed app with package name com.mediatek.wfo.impl (versionCode=27, versionName=8.1.0). This app exposes an exported interface that allows any app co-located on the device to modify a system property without authorization [1].

Exploitation

An attacker requires only an app installed on the same device (co-located) — no special permissions or user interaction beyond normal app installation. By invoking the exported interface of the com.mediatek.wfo.impl app, the attacker can modify system properties, likely through Android's Binder or broadcast mechanisms [1].

Impact

Successful exploitation allows an attacker to change system-wide properties on the device, potentially leading to privilege escalation, denial of service, or other adverse effects depending on the property modified. The exact impact is constrained by the system property being changed, but could affect device behavior or security posture [1].

Mitigation

As of the publication date (2019-11-14), no official patch or fixed version had been announced. Users should uninstall or disable the com.mediatek.wfo.impl app if possible, or apply any vendor-provided firmware update that addresses the issue. The vulnerability is part of a larger set of pre-installed app issues identified by Kryptowire; a device-wide security update from Lava or MediaTek would be required [1].