Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Olli Ries
on 15 October 2015

Update on Ubuntu Phone security issue


A security vulnerability has been discovered on the Ubuntu Phone. We take security very seriously, and want to provide clear information as to what happened; and what steps have been taken to rectify the issue and protect against future similar incidents.

At this point, we believe that the core issue has been addressed. An app which exploited the issue has been removed; the 15 people who installed that app have been contacted; and a fix for all Ubuntu Phone users will be released shortly. Users of Ubuntu on the desktop, server, cloud and snappy Ubuntu Core devices are not affected.

Summary

At 2015 Oct 14 22:50 UTC  a member of the Ubuntu App Developer Community published a post about an app named “test.mmrow” in the Ubuntu Phone’s Software Store that exploited a previously unknown bug in the application installation system. Upon clicking the “Tap me” button in the app, a script was created that modified the boot splash screen, and gave the intruder root access. This could happen only on Ubuntu Phones; users of Ubuntu on the desktop, server, cloud and snappy Ubuntu Core devices are not affected.

Canonical engineers started investigating and taking preventative actions shortly after. Specifically, a root cause analysis was started to understand the exploit, and by 2015 Oct 15 00:50 UTC uploads and downloads from the store were temporarily disabled while the team addressed the issue. A fix was issued for the core issue was available by 2015 Oct 15 04:23 UTC, all the apps in the store have been scanned  to ensure that no other apps exploited the same security hole. The store has been re-enabled. Additionally, a full update is being prepared for all Ubuntu Phone users to address the underlying issue.

Users that have downloaded and installed the “test.mmrow” app and triggered a “Tap me!” button could  have been affected. A total of 15 users, two of which are Canonical employees involved in the early investigation stages, downloaded the “test.mmrow” app from the store. These 15 users have been alerted via email that the “test.mmrow” app may be malicious and they were advised to uninstall the app immediately.  We continue to follow up individually with those individuals to ensure their phones are protected.

Analysis

The app used flaws in the click installation code to generate unconfined security policy for the app on end user devices. The offending app was then able to create a shell script that has the ability to elevate its privileges to the root user and extract a tar file that contains images that are flashed when the phone is rebooted into recovery mode.

The Ubuntu App Store uses automated review tools to determine if apps are safe for automatic upload. If apps attempt to use a non-standard confinement template, they are marked for manual review. The offending app was constructed in a way that made it look like it used a standard confinement template, but it specified an unconfined template in the alternate directory, and it passed the automated review checks.

The exploit used should have been detected in two places. The click app review tools should detect that the click app includes files that are only meant to be generated as part of the click app installation process. In addition, the click program should have ignored those files, even if present during installation.   Both of these have now been addressed and updates will be pushed to all Ubuntu phone devices soon.

Canonical will provide further information on this issue as and when it is available.

Related posts


Serdar Vural
28 October 2024

Canonical at India Mobile Congress 2024 – a retrospective

AI OpenStack

With an ambition to become Asia’s technology hub for telecommunications in the 5G/6G era, India hosts the annual India Mobile Congress (IMC) in Pragati Maidan, New Delhi. IMC is an annual trade exhibition for the telecommunication sector, bringing together operators, system integrators, as well as software and hardware vendors. It has now ...


Lech Sandecki
23 October 2024

6 facts for CentOS users who are holding on

Cloud and server Article

Considering migrating to Ubuntu from other Linux platforms, such as CentOS? Find six useful facts to get started! ...


Rhys Knipe
22 October 2024

What is Ubuntu used for?

Ubuntu Article

The launch of Ubuntu in 2004 was a step-change for everyday users and developers everywhere. Nicknamed “Ubuntu Linux” in its early days, to differentiate it from its various cousins in the Linux world, it has since lost the need for its surname and grown to become a powerful force. Besides being used by millions of ...