CVE Identifier: CVE-2015-3854 Vulnerability Type: Battery permission leakage in Android Affected Version: Android 5.x Issue: A permission leakage exists in Android 5.x that allows a malicious application to acquire system-level protected permission of DEVICE_POWER and turn off battery save mode without the appropriate permission. Exploit: An attacker app without any permission can trigger the API call on behalf of SystemUI, thus stopping battery saver without user action and awareness by sending a broadcast with action "PNW.stopSaver". Fixed in: Android SDK for releases 5.1.1.r16 and later. Mitigation: Use a local broadcast mechanism or use permission to guide the dynamic receiver. References: - Initial report: 2015.5.6 - Android Security Team acknowledgment: 2015.5.8 - CVE Requested and Assigned: 2015.7.24 - Public Disclosure: 2016.5.26 - Official fix: https://android.googlesource.com/platform/frameworks/base/+/df9cfa7