The Internet’s Horrifying Way to Get Google Apps on Huawei Phones

As you probably know, the Trump administration banned US companies from doing business with Huawei several months ago. Recently Huawei had a big smartphone launch , the Mate 30 Pro, the first Huawei phone to launch without Google apps, thanks to the export ban. The lack of Google apps is a serious black mark on the device, as it is now shipping without the Android app ecosystem and without killer Google apps like the Play Store, Gmail, Google Maps, YouTube, Chrome, Google Assistant, and more.

ARS TECHNICA

This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Condé Nast.The internet, as it is wont to do, has been coming up with workarounds to fix this problem to get Google apps on the Mate 30 Pro. The gray market distribution of Google apps is something the Android modding scene has down to a science, and it's fairly easy to get Google apps on things that don't normally come with Google apps, like Amazon Kindle Fire devices, custom ROMs based on the open source Android code (like LineageOS), and on imported devices meant for the Google-free Chinese market.
Unfortunately, none of these methods work on the Mate 30 Pro. They rely on either an unlocked bootloader, which allows users to flash Google apps to the normally read-only system partition, or on "stub apps" left in the system partition by the device manufacturer specifically for the Google apps, so sideloaded versions can get the system-level permissions they need to work. The Mate 30 doesn't allow for either method.With all the traditional techniques out the window, the internet's brand-new method for getting Google apps onto the Mate 30 is through a website called Lzplay.net. You can see news articles promoting this site from just about all the major Android news sites. I Googled "mate 30 pro install play store," and literally every result on the first page recommended Lzplay.net. It's easy to see why Lzplay is ubiquitous: Go to the website, install the app, mash "next" a few times, and boom, Google apps are on your Huawei device.

It seemingly installs six system apps in the blink of an eye with almost no user interaction. Even though the Google apps should not be able to get the system-level permissions they need to work, they somehow do, thanks to this app. It's like magic.

Lzplay is fast, it's easy, and as far as getting Google apps onto your Huawei device, it works. It's also the biggest Android modding security nightmare I have ever seen. And no, that's not hyperbole.

Protip: Don't Set a Random Chinese Website as the Remote Administrator of Your Smartphone

Lzplay.net plugs into Android's Mobile Device Management (MDM) API, which is meant for enterprise services like Android for Work, or your company's IT department. This is a remote management API that is meant to give your IT department full control over a company-issued device. The goal is to allow your IT department to have, basically, as much control over the device remotely as you have in front of it, allowing them to silently install and uninstall apps, change the lock screen password, remote-wipe the device, and do a million other things.

Watch any of the video guides after the app is downloaded and you'll see the "Activate device administrator?" screen popup, complete with a huge, scrolling list that spells out all the scary permissions. At this point you should really stop and think if granting these permissions to an unknown entity is a good idea. (It's totally not.)

This set of permissions, which used to be called "Device owner," should only ever be given to an entity you 100 percent trust: apps like Google's Android for Work, an app from your company's MDM provider for your company-issued phone, or maybe you have an Android-powered kiosk or IoT device that you personally want to manage remotely. Those options are fine. What's not fine is granting these permissions to a random website like Lzplay.net.