Arbitrary Memory Read/Write Vulnerability Discovered and Patched in the Huawei Mate 9 and Mate 9 Pro
Security vulnerabilities are patched quite frequently in Android devices, though you won’t hear about most of them until the monthly security bulletins are out. Huawei, though, publishes security advisories for each flaw they discover and patch. The company just has disclosed one such vulnerability for the month of March, and we can see that it impacts both the Huawei Mate 9 as well as its more premium counterpart, the Huawei Mate 9 Pro.
The vulnerability allows an attacker to read and write memory data anywhere or execute arbitrary code in the TrustZone. The attack itself is only possible on a device where the attacker can obtain root access, so it is quite limited in scope (and hence rated as a Medium severity vulnerability). However, we know that rooting your phone is quite popular among our readers, so we thought sharing this vulnerability disclosure might be worth your time. Especially since the only modifications available for the Huawei Mate 9/9 Pro at this time revolve around the stock firmware, as there does not yet exist any AOSP-based custom ROM for these two devices.
This vulnerability was found in the hardware security module of the Huawei Mate 9 and the Huawei Mate 9 Pro, stemming from input parameters validation. This vulnerability was discovered by a Huawei internal tester, and the company immediately started working on a fix once they learned about it. Huawei advises that you do not install untrusted third-party applications while rooted since this is generally how an attacker disguises their payload.
If your Huawei Mate 9 or Mate 9 Pro is running B156 or older, then your device is vulnerable to this newly disclosed attack. All regional variants are vulnerable, but again you have nothing to worry about if your device is unrooted. Just to be safe, though, users are advised to update their devices as soon as an OTA update notification arrives as the latest firmware will patch this exploit.