This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Security Advisory - App Validity Check Bypass Vulnerability in Huawei P7 Smartphone

  • SA No:Huawei-SA-20141120-01-Smartphone
  • Initial Release Date: Nov 20, 2014
  • Last Release Date: Nov 24, 2015

The PackageInstaller module on Huawei smartphone P7 has a vulnerability in validity check of third-party apps. Attackers can configure some specific information in the malware packages so that smartphones consider that the package is downloaded from whitelisted websites. As a result, the malware can bypass the validity check. (Vulnerability ID: HWPSIRT-2014-0892)

This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2014-9135.

Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:

http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-397472.htm

Product name

Affected Version

Resolved Product and Version

P7-L10

V100R001C00B122 and earlier versions

V100R001C00B136

No warning or message is displayed during the installation of some malware apps.

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Temporal Score: 6.2 (E:F/RL:O/RC:C)

1. Prerequisite:

Attackers must trick users into installing the malware provided by the attackers.

2. Attacking procedure:

Attackers can manipulate the mark to allow malware to look like an app downloaded from a trusted website to bypass the validity check.

Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.


This vulnerability was found by Information Security Lab of National Tsing Hua University. Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

Huawei express our appreciation for the Information Security Lab of National Tsing Hua University’s concerns on Huawei products. 

For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.


2015-11-24 V1.4 FINAL

2015-11-20 V1.3 UPDATED updated information of researcher

2015-11-13 V1.2 UPDATED updated information of researcher

2014-11-29 V1.1 UPDATED Added the CVE ID

2014-11-20 V1.0 INITIAL

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.


Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.