Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Olli Ries
on 15 October 2015

Update on Ubuntu Phone security issue


A security vulnerability has been discovered on the Ubuntu Phone. We take security very seriously, and want to provide clear information as to what happened; and what steps have been taken to rectify the issue and protect against future similar incidents.

At this point, we believe that the core issue has been addressed. An app which exploited the issue has been removed; the 15 people who installed that app have been contacted; and a fix for all Ubuntu Phone users will be released shortly. Users of Ubuntu on the desktop, server, cloud and snappy Ubuntu Core devices are not affected.

Summary

At 2015 Oct 14 22:50 UTC  a member of the Ubuntu App Developer Community published a post about an app named “test.mmrow” in the Ubuntu Phone’s Software Store that exploited a previously unknown bug in the application installation system. Upon clicking the “Tap me” button in the app, a script was created that modified the boot splash screen, and gave the intruder root access. This could happen only on Ubuntu Phones; users of Ubuntu on the desktop, server, cloud and snappy Ubuntu Core devices are not affected.

Canonical engineers started investigating and taking preventative actions shortly after. Specifically, a root cause analysis was started to understand the exploit, and by 2015 Oct 15 00:50 UTC uploads and downloads from the store were temporarily disabled while the team addressed the issue. A fix was issued for the core issue was available by 2015 Oct 15 04:23 UTC, all the apps in the store have been scanned  to ensure that no other apps exploited the same security hole. The store has been re-enabled. Additionally, a full update is being prepared for all Ubuntu Phone users to address the underlying issue.

Users that have downloaded and installed the “test.mmrow” app and triggered a “Tap me!” button could  have been affected. A total of 15 users, two of which are Canonical employees involved in the early investigation stages, downloaded the “test.mmrow” app from the store. These 15 users have been alerted via email that the “test.mmrow” app may be malicious and they were advised to uninstall the app immediately.  We continue to follow up individually with those individuals to ensure their phones are protected.

Analysis

The app used flaws in the click installation code to generate unconfined security policy for the app on end user devices. The offending app was then able to create a shell script that has the ability to elevate its privileges to the root user and extract a tar file that contains images that are flashed when the phone is rebooted into recovery mode.

The Ubuntu App Store uses automated review tools to determine if apps are safe for automatic upload. If apps attempt to use a non-standard confinement template, they are marked for manual review. The offending app was constructed in a way that made it look like it used a standard confinement template, but it specified an unconfined template in the alternate directory, and it passed the automated review checks.

The exploit used should have been detected in two places. The click app review tools should detect that the click app includes files that are only meant to be generated as part of the click app installation process. In addition, the click program should have ignored those files, even if present during installation.   Both of these have now been addressed and updates will be pushed to all Ubuntu phone devices soon.

Canonical will provide further information on this issue as and when it is available.

Related posts


Canonical
2 December 2024

Canonical announces public beta of optimized Ubuntu image for Qualcomm IoT platforms

Canonical announcements Article

Today Canonical, the publisher of Ubuntu, and Qualcomm® Technologies announce the official beta launch of the very first optimized image of  Ubuntu for Qualcomm® IoT Platforms. Through this beta program, developers will be able to download and use Ubuntu 22.04 LTS for the Qualcomm® RB3 Gen 2 Vision kit, which runs on the Qualcomm® QCS6490 ...


Massimiliano Gori
27 November 2024

Entra ID authentication on Ubuntu at scale with Landscape

Ubuntu Article

Authd allows Entra ID authentication on both Ubuntu Desktop and Server. Learn how to configure Authd at scale using Landscape and Cloud-init ...


sergiodj
18 November 2024

Profile-guided optimization: A case study

Ubuntu Article

Software developers spend a huge amount of effort working on optimization – extracting more speed and better performance from their algorithms and programs. This work usually involves a lot of time-consuming manual investigation, making automatic performance optimization a hot topic in the world of software development. Profile-guided opt ...