Proving that the more complex the OS, the easier it is to hack, and how root really isn't required to attack a device a malicious app bypassed Ubuntu Phone security checks to give the attacker full control over the phone.
Luckily only 15 people are known to have downloaded the app but one has to wonder if Ubuntu Phone is already being targeted so successfully in its infancy what does that bode when its a more juicy target?
An educated guess for the unreleased sales statistics can be found on Riccardo Padovani's blog.
(Score: 2) by jmorris on Tuesday October 20 2015, @05:53PM
App stores are childishly easy to put malware into and an exploit isn't terribly hard to come up with on pretty much any platform these days with agile programming all the rage.
It is only a matter of time until somebody invests the effort to worm their way into putting malware into an actual distribution repo. It will require some effort to do some patches or janitorial work first and some cleverness to stick it into a package in a way it won't be noticed for long enough to do harm, but there really isn't a defense against it so we should expect it. And expecting it we should be discussing a defense. We aren't. Nobody ever really prepares for an attack vector that hasn't actually happened yet. Everybody talks a good game, nobody ever follows through.
(Score: 2) by frojack on Tuesday October 20 2015, @10:14PM
This attack vector (malware in a distro) has been used already. [zdnet.com]
Not only in distros but also in commonly used packages, not to mention the Kernel itself [arstechnica.com].
The long expected explanation of the kernel.org never really materialized as far as I can remember.
No, you are mistaken. I've always had this sig.
(Score: 2) by jmorris on Wednesday October 21 2015, @03:05AM
Not what I'm worried about. Hacking a server hosting a repo isn't nearly as dangerous as somebody with the rights to quietly commit a patchset. Packages are signed so anything other than the machine that signs packages means any damage is going to be limited. I'd suspect the more important distros have protections against poisoning of the source trees by most of the crude smash and inject paths. Now imagine what damage could be done by a well used package that adds evil bits with no smashed security to attract attention. Imagine an httpd that responds to a special query with the private ssh keys. A pam plugin that harvests passwords and makes the file available to the outside when given a crafted query. A kernel with a preinstalled cloaking rootkit that would even survive booting recovery media and verifying the packages against the official signatures.
Basically any package that has access to trusted info is an obvious candidate but even unimportant ones run their install scripts as root so an unimportant one that can be counted on to be installed on the chosen targets is almost as good, maybe better since it will attract fewer eyeballs. Do we really trust both the authors and package maintainers of every perl module? Every Apache add on? How many packages are in Debian? Ubuntu Universe? Fedora? And cowsay installs as root. Yea, that is a problem. Sooner or later.. BOOM!