The Huawei Mate 30 was the most recent pride for the Chinese telecommunications giant, featuring a combination of amazing cameras, powerful hardware, and stunning design. Although the tensions with the United States weren’t laying a road of rose petals for the device, the hopes were still pretty high for its market potential. The company has found a way to put Google Play in its newest lineup no matter the commercial bans, and while the bootloader of the Mate 30 remained locked, everything seemed to be “ok”.
That is until the security researcher John Wu discovered a severe backdoor hiding inside the very app that was meant to help people download and install Google Services. Called “LZPlay”, the software must be downloaded by the users and then deployed to download a suite of Google APKs and install them onto the Mate 30 device. However, there’s a catch. Such apps can only work with system images that are licensed by Google, and Huawei’s latest lineup isn’t featuring such a certification. This precaution is a matter of security, as manual installations of Google apps can only take place if the packages can pass the signature verification, otherwise, people could push malware with updates.
Huawei solved this practical limitation by introducing its own set of APIs for mobile device management, and which adds two new permissions compared to Google’s SDK. The first undocumented permission allows the installation of system apps, which is where the LZPlay plugs in. The second undocumented permission concerns the installation of undetachable apps. This means that Huawei’s API comes with a backdoor that enables the flagging of “user apps” as “system apps”. The developer of LZPlay needed to send a request to Huawei in order to gain access to their SDK and gain these special permissions and a signed key.
While this is not an indication that Huawei has ill intentions for its users, but the backdoor is under its full control, so they are responsible for enabling any app to gain system-wide access. Something could easily go wrong with this process, and many people just wouldn’t be comfortable with Huawei holding the keys to their device (literally). Now, the APK of LZPlay has been removed, and its access to the hidden SDK functions has been apparently revoked. Multiple Mate 30 owners now report that Google reports their device as “compromised” while the Play Services that they installed on their devices have been blocked.
Are you still using a Huawei device, or are you planning to buy one? Let us know in the comments down below, or on our socials, on Facebook and Twitter.