CVE CyberSecurity Database News

CVE-2022-44553 - How a Vulnerability in Huawei’s HiView Module Lets Third-Party Android Apps Run Without Permission

Poster -

---

Intro

The Android ecosystem is no stranger to security bugs, but sometimes a flaw in a system app can introduce unexpected risks. One such case is CVE-2022-44553. This vulnerability, found in the HiView module on some Huawei devices, allows third-party apps to start themselves up repeatedly—even if you never granted them permission.

If you own a Huawei phone, use third-party apps, or just want to understand how Android vulnerabilities work, this post breaks down:

What Is the HiView Module?

Huawei’s HiView is a system module that acts like a middleman between the Android system and certain services or apps. It helps manage notifications, recommendations, and improvements based on collected user data. Essentially, it's deep in the system and trusted by Android permissions.

The Vulnerability: No Filter for Third-Party Apps

Here’s the crux: HiView does not filter out third-party apps when invoking the system provider. That means, during certain internal operations (called “traversals”), HiView is supposed to interact only with legit, system-trusted apps. But with this vulnerability, any app—whether from the Play Store or a random APK—can sneak into this process.

As a result, any third-party app can get started up again and again, even possibly after you’ve closed it.

The attacker installs a malicious app on your Huawei device.

2. HiView, during its regular operations (like scans or recommendations), makes calls that are supposed to only involve system providers.
3. Because of CVE-2022-44553, it does not check if the app being called is a legitimate system provider.
4. The attacker’s app gets started by HiView’s privileged code—even if the user tries to kill the app or restrict background process.

This is made possible due to insufficient checks in HiView’s source code. Here’s a rough code sketch (simplified for clarity):

// Dangerous traversal - not filtering third-party packages
for (String provider : systemProviders) {
    context.startService(new Intent().setComponent(new ComponentName(provider, "SomeService")));
}
// "systemProviders" should be system apps only, but is unfiltered!

A safer design would filter out any package not signed with the system’s release key

for (String provider : systemProviders) {
    if (isSystemApp(provider)) {
        context.startService(new Intent().setComponent(new ComponentName(provider, "SomeService")));
    }
}

And isSystemApp() would check

private boolean isSystemApp(String packageName) {
    PackageManager pm = context.getPackageManager();
    try {
        ApplicationInfo info = pm.getApplicationInfo(packageName, );
        return (info.flags & ApplicationInfo.FLAG_SYSTEM) != ;
    } catch (PackageManager.NameNotFoundException e) {
        return false;
    }
}

Malicious app gets installed by the victim

2. The app registers a provider/service HiView might invoke

Sample PoC behavior (pseudocode)

// Inside malicious app's manifest
<service android:name=".StealthService"
    android:exported="true">
    <intent-filter>
        <action android:name="com.huawei.hiview.SERVICE_REQUEST" />
    </intent-filter>
</service>

// Attack code: logs every time it's started via HiView
public class StealthService extends Service {
    public int onStartCommand(Intent intent, int flags, int startId) {
        Log.d("StealthService", "Triggered: " + System.currentTimeMillis());
        // Perform malicious activity here
        return START_STICKY;
    }
}

Impact: No user interaction required; HiView wakes up the malicious code regularly through its own system privileges.

Resource drain: Increased battery or CPU usage without visible reason.

- Bypassing user controls: User attempts to “force stop” or restrict background activity might prove ineffective.

Official Disclosure & References

- Huawei Security Advisory: CVE-2022-44553 details (Huawei)
- NIST NVD Summary: CVE-2022-44553
- SecurityLab Article: Link to third-party write-up

Monitor battery and app usage: An app misbehaving could be exploiting this bug.

- Limit background activity: While the vulnerability interferes with this, it can still help with apps that *aren’t* involved.


### What Can Developers/Security Pros Do?

- Test for uncontrolled background start: On unpatched Huawei firmware, test if your or third-party apps get started up unexpectedly.
- Contact users about patches: If you build security apps, warn users with Huawei devices to upgrade.

Conclusion

CVE-2022-44553 might seem technical, but it boils down to this: An oversight in filtering lets bad apps run repeatedly, against user wishes, on Huawei devices. If you’re on the security, development, or even user side, keep your device up to date and be cautious about anything you install. Vendors have fixed this issue with patches—so don’t delay those system updates!

Stay safe. Always update, always verify!

If you want more technical details, check the sources above or reach out in the comments.

Timeline

Published on: 11/09/2022 21:15:00 UTC
Last modified on: 11/14/2022 19:13:00 UTC