Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Update on Ubuntu Phone security issue

Olli Ries

on 15 October 2015

Tags: Phone , Ubuntu

This article was last updated 8 years ago.


A security vulnerability has been discovered on the Ubuntu Phone. We take security very seriously, and want to provide clear information as to what happened; and what steps have been taken to rectify the issue and protect against future similar incidents.

At this point, we believe that the core issue has been addressed. An app which exploited the issue has been removed; the 15 people who installed that app have been contacted; and a fix for all Ubuntu Phone users will be released shortly. Users of Ubuntu on the desktop, server, cloud and snappy Ubuntu Core devices are not affected.

Summary

At 2015 Oct 14 22:50 UTC  a member of the Ubuntu App Developer Community published a post about an app named “test.mmrow” in the Ubuntu Phone’s Software Store that exploited a previously unknown bug in the application installation system. Upon clicking the “Tap me” button in the app, a script was created that modified the boot splash screen, and gave the intruder root access. This could happen only on Ubuntu Phones; users of Ubuntu on the desktop, server, cloud and snappy Ubuntu Core devices are not affected.

Canonical engineers started investigating and taking preventative actions shortly after. Specifically, a root cause analysis was started to understand the exploit, and by 2015 Oct 15 00:50 UTC uploads and downloads from the store were temporarily disabled while the team addressed the issue. A fix was issued for the core issue was available by 2015 Oct 15 04:23 UTC, all the apps in the store have been scanned  to ensure that no other apps exploited the same security hole. The store has been re-enabled. Additionally, a full update is being prepared for all Ubuntu Phone users to address the underlying issue.

Users that have downloaded and installed the “test.mmrow” app and triggered a “Tap me!” button could  have been affected. A total of 15 users, two of which are Canonical employees involved in the early investigation stages, downloaded the “test.mmrow” app from the store. These 15 users have been alerted via email that the “test.mmrow” app may be malicious and they were advised to uninstall the app immediately.  We continue to follow up individually with those individuals to ensure their phones are protected.

Analysis

The app used flaws in the click installation code to generate unconfined security policy for the app on end user devices. The offending app was then able to create a shell script that has the ability to elevate its privileges to the root user and extract a tar file that contains images that are flashed when the phone is rebooted into recovery mode.

The Ubuntu App Store uses automated review tools to determine if apps are safe for automatic upload. If apps attempt to use a non-standard confinement template, they are marked for manual review. The offending app was constructed in a way that made it look like it used a standard confinement template, but it specified an unconfined template in the alternate directory, and it passed the automated review checks.

The exploit used should have been detected in two places. The click app review tools should detect that the click app includes files that are only meant to be generated as part of the click app installation process. In addition, the click program should have ignored those files, even if present during installation.   Both of these have now been addressed and updates will be pushed to all Ubuntu phone devices soon.

Canonical will provide further information on this issue as and when it is available.

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

Entra ID authentication on Ubuntu at scale with Landscape

Authd allows Entra ID authentication on both Ubuntu Desktop and Server. Learn how to configure Authd at scale using Landscape and Cloud-init

Profile-guided optimization: A case study

Software developers spend a huge amount of effort working on optimization – extracting more speed and better performance from their algorithms and programs....

Canonical at India Mobile Congress 2024 – a retrospective

With an ambition to become Asia’s technology hub for telecommunications in the 5G/6G era, India hosts the annual India Mobile Congress (IMC) in Pragati...