A security vulnerability has been discovered on the Ubuntu Phone. We take security very seriously, and want to provide clear information as to what happened; and what steps have been taken to rectify the issue and protect against future similar incidents.
At this point, we believe that the core issue has been addressed. An app which exploited the issue has been removed; the 15 people who installed that app have been contacted; and a fix for all Ubuntu Phone users will be released shortly. Users of Ubuntu on the desktop, server, cloud and snappy Ubuntu Core devices are not affected.
At 2015 Oct 14 22:50 UTC a member of the Ubuntu App Developer Community published a post about an app named “test.mmrow” in the Ubuntu Phone’s Software Store that exploited a previously unknown bug in the application installation system. Upon clicking the “Tap me” button in the app, a script was created that modified the boot splash screen, and gave the intruder root access. This could happen only on Ubuntu Phones; users of Ubuntu on the desktop, server, cloud and snappy Ubuntu Core devices are not affected.
Canonical engineers started investigating and taking preventative actions shortly after. Specifically, a root cause analysis was started to understand the exploit, and by 2015 Oct 15 00:50 UTC uploads and downloads from the store were temporarily disabled while the team addressed the issue. A fix was issued for the core issue was available by 2015 Oct 15 04:23 UTC, all the apps in the store have been scanned to ensure that no other apps exploited the same security hole. The store has been re-enabled. Additionally, a full update is being prepared for all Ubuntu Phone users to address the underlying issue.
Users that have downloaded and installed the “test.mmrow” app and triggered a “Tap me!” button could have been affected. A total of 15 users, two of which are Canonical employees involved in the early investigation stages, downloaded the “test.mmrow” app from the store. These 15 users have been alerted via email that the “test.mmrow” app may be malicious and they were advised to uninstall the app immediately. We continue to follow up individually with those individuals to ensure their phones are protected.
The app used flaws in the click installation code to generate unconfined security policy for the app on end user devices. The offending app was then able to create a shell script that has the ability to elevate its privileges to the root user and extract a tar file that contains images that are flashed when the phone is rebooted into recovery mode.
The Ubuntu App Store uses automated review tools to determine if apps are safe for automatic upload. If apps attempt to use a non-standard confinement template, they are marked for manual review. The offending app was constructed in a way that made it look like it used a standard confinement template, but it specified an unconfined template in the alternate directory, and it passed the automated review checks.
The exploit used should have been detected in two places. The click app review tools should detect that the click app includes files that are only meant to be generated as part of the click app installation process. In addition, the click program should have ignored those files, even if present during installation. Both of these have now been addressed and updates will be pushed to all Ubuntu phone devices soon.
Canonical will provide further information on this issue as and when it is available.