The PackageInstaller module on Huawei smartphone P7 has a vulnerability in validity check of third-party apps. Attackers can configure some specific information in the malware packages so that smartphones consider that the package is downloaded from whitelisted websites. As a result, the malware can bypass the validity check. (Vulnerability ID: HWPSIRT-2014-0892)
This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2014-9135.
Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:
Resolved Product and Version
V100R001C00B122 and earlier versions
No warning or message is displayed during the installation of some malware apps.
The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).
Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Temporal Score: 6.2 (E:F/RL:O/RC:C)
Attackers must trick users into installing the malware provided by the attackers.
2. Attacking procedure:
Attackers can manipulate the mark to allow malware to look like an app downloaded from a trusted website to bypass the validity check.
This vulnerability was found by Information Security Lab of National Tsing Hua University. Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
Huawei express our appreciation for the Information Security Lab of National Tsing Hua University’s concerns on Huawei products.
For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.
2015-11-24 V1.4 FINAL
2015-11-20 V1.3 UPDATED updated information of researcher
2015-11-13 V1.2 UPDATED updated information of researcher
2014-11-29 V1.1 UPDATED Added the CVE ID
2014-11-20 V1.0 INITIAL