CVE-2019-15473 : Security Advisory and Response

The Xiaomi Mi A2 Lite Android device is vulnerable to unauthorized microphone audio recording due to a specific software configuration that allows exploitation through a confused deputy attack.

Understanding CVE-2019-15473

What is CVE-2019-15473?

The vulnerability in the Xiaomi Mi A2 Lite Android device enables unauthorized access to record audio using the device's microphone through a specific pre-installed application.

The Impact of CVE-2019-15473

The exploit allows any application on the device to access the microphone and record audio without user consent, potentially compromising privacy and security.

Technical Details of CVE-2019-15473

Vulnerability Description

The vulnerability arises from the com.qualcomm.qti.callenhancement app, which permits unauthorized audio recording via a confused deputy attack.

Affected Systems and Versions

Device: Xiaomi Mi A2 Lite
Software Configuration: xiaomi/jasmine/jasmine_sprout:9/PKQ1.180904.001/V10.0.2.0.PDIMIFJ:user/release-keys
App Version: com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9)

Exploitation Mechanism

The vulnerability allows any app installed on the device to exploit the com.qualcomm.qti.callenhancement app to record audio using the microphone.

Mitigation and Prevention

Immediate Steps to Take

Disable or uninstall the com.qualcomm.qti.callenhancement app if possible.
Regularly review and monitor app permissions on the device.

Long-Term Security Practices

Keep the device's software up to date to patch known vulnerabilities.
Avoid installing apps from untrusted sources to minimize security risks.
Use reputable security apps to scan for and detect potential threats.

Patching and Updates

Ensure the device receives security updates from the manufacturer to address and mitigate vulnerabilities like CVE-2019-15473.