First Malicious App in Ubuntu Phone Store – Update
Someone managed to put an app in the Ubuntu Phone store that could customize the splash boot screen of a Meizu phone, something that shouldn’t be possible. Still, the app managed to get past the automatic testing system. The app has since been removed.
Softpedia writes this in response to a report from one of its readers. The application called ‘test’ was able to change the splash boot screen, which it shouldn’t. Whether the application did anything other than that is not yet clear. The developers of Ubuntu have since removed the application and anyone who installed the potentially malicious program has received an email stating that the application ‘test’ built by ‘developer mmrow, version 0.1’ may be malicious. The application only works on devices that use an armhf processor.
The number of installs of the app is “just a handful” and the response from the Ubuntu team was quick. Community manager David Planella said in a response to Softpedia that after the analysis of the app, there are no other potentially malicious programs in the Ubuntu Store. An Ubuntu Phone user made a video of what happens when the app is installed.
Update 17:54: A comprehensive description of the core issue has been released by the Ubuntu developers. It turns out that the ‘test’ app exploited a previously unknown bug in the application installer after activation. After clicking the ‘Tap me’ button in the app, a script was launched that could modify the splash boot screen, giving the malicious root access. The bug only exists on Ubuntu Phones. Desktop, server, cloud and snappy core devices are not affected.
Due to the bug, the Ubuntu Phone Store was temporarily closed on October 15 between 2:50 AM and 7:23 AM our time. In total, only fifteen users installed the app. The exploit used should have been detected in two different places during the automatic checking process. Both components are getting updates soon and will be pushed to Ubuntu Phones soon via an ota. In principle, apps that do not meet certain requirements are not automatically allowed through. These are normally checked by humans first.