Ever since news broke out that Huawei’s latest flagship smartphone would not be allowed to ship with Google services due to the U.S. trade ban (source: Reuters), people were curious about the impact to sales, and how the Chinese tech giant will react.

After the unveiling event, media got their hands on the “forbidden fruit”, and numerous reviews flood the Internet. It doesn’t take long before someone found a way to install Google Services on their units (source: 9to5Google), and apparently even Google Pay works. All you need to do is to download and install an APK from https://www.lzplay.net/, follow the instructions in the app, and things are all set.

This sounds too good to be true, doesn’t it?

For those who are familiar with Chinese Android devices, sideloading GMS (Google Mobile Service) is nothing foreign. It is very common for Chinese OEMs to release “GMS Installers” so people who travel abroad can install GMS manually.

Well, everything seems nice and cool; this “LZPlay” app is just yet another GMS installer, why are you writing this article?

The way most “GMS Installers” work is that they automatically install a suite of Google APKs. In fact, users can simply just download these APKs individually and sideload them themselves. No magic occurs here. However, this only works if the device is already using a Google licensed system image.

On Android, system apps and user installed apps are treated differently, with the former given additional permissions. Some GMS packages have to be installed as system apps because they require privileged permissions to function properly. As Google services are not accessible within mainland China, most Android devices do not ship with full GMS, but in many cases, OEMs will include GMS “stubs” in the system.

Android allows system apps to be upgraded by the user, either via Play Store or manual sideloads, as long as the update is signed with the same key as the original one in the system. The signature verification is important, as this prevents attackers from distributing malicious updates. The aforementioned GMS “stubs” are mere placeholders in the system and provide no functionality other than paving the way to be “activated”. These stubs are signed by Google for it to be compatible with actual GMS APKs.