termux-app
termux-app copied to clipboard
termux
[NOTICE] 2022-02-15 Termux Apps Vulnerability Disclosures
This is a vulnerability report for termux-app, termux-tasker and termux-widget being released on 2022-02-15. Users are advised to immediately update to Termux v0.118.0, Termux:Tasker v0.5 and Termux:Widget v0.13.0 if they are using any older version.
All private files like security keys for ssh or encryption keys should be assumed to be compromised for users who were using termux app version <= v0.117 . It is highly advisable to replace any such keys with new ones and look into any suspicious authorized access on any remote servers being connected to from termux.
People who are still using Google Playstore version are advised to immediately shift to F-Droid or Github releases since updates will not be released on Google Playstore any time soon, if ever, due to Android 10 issues. Playstore builds were deprecated more than ~150 days ago and are no longer supported. Check https://github.com/termux/termux-app#installation for more info on where to install/update the Termux app.
https://termux.github.io/general/2022/02/15/termux-apps-vulnerability-disclosures.html
This is a vulnerability report for
termux-app,termux-taskerandtermux-widgetbeing released on2022-02-15. Users are advised to immediately update toTermuxv0.118.0,Termux:Taskerv0.5andTermux:Widgetv0.13.0if they are using any older version.All private files like security keys for
sshor encryption keys should be assumed to be compromised for users who were using termux app version<= v0.117. It is highly advisable to replace any such keys with new ones and look into any suspicious authorized access on any remote servers being connected to from termux.People who are still using Google Playstore version are advised to immediately shift to F-Droid or Github releases since updates will not be released on Google Playstore any time soon, if ever, due to Android
10issues. Playstore builds were deprecated more than~150days ago and are no longer supported. Check https://github.com/termux/termux-app#installation for more info on where to install/update the Termux app.https://termux.github.io/general/2022/02/15/termux-apps-vulnerability-disclosures.html
I'm using 0.119.1 🤣🤣
I'm using 0.119.1
v0.119 was never released. The build poking around the Internet with such version is a fake app.
The official distribution sources are:
- F-Droid: https://f-droid.org/packages/com.termux/
- Our GitHub: https://github.com/termux/termux-app/releases
Termux is open source. Everyone can make and publish own Termux apps with different features and potentially can include malicious functionality. We can't control usage of the words "Termux" and "official", so everyone can claim that their app is "official Termux" while really it is nothing more than fake release.
We are not responsible for or support derivatives made by other users. Therefore require everyone to use our F-Droid or GitHub builds, unless users know what they are doing and possible consequences.
I'm using 0.119.1
v0.119 was never released. The build poking around the Internet with such version is a fake app.
The official distribution sources are:
- F-Droid: https://f-droid.org/packages/com.termux/
- Our GitHub: https://github.com/termux/termux-app/releases
Termux is open source. Everyone can make and publish own Termux apps with different features and potentially can include malicious functionality. We can't control usage of the words "Termux" and "official", so everyone can claim that their app is "official Termux" while really it is nothing more than fake release.
We are not responsible for or support derivatives made by other users. Therefore require everyone to use our F-Droid or GitHub builds, unless users know what they are doing and possible consequences.
Actually I don't I have fake termux or real i download a termux from Termux App Release that size is 100mb or 100mb + before 6 to 8 months i update in f droid version that time is 0.118 version and I installed some packages and update termux with apt update && apt upgrade
After some I checked so it will turned into 0.119.1 Actually I suddenly noticed my termux key are got red when I turned on so I checked my termux application version and I found it 0.119.1 so I don't it's fake or real application of termux
@agnostic-apollo @sylirre
Application version can't be changed on its own.
v0.119.1 was never released, the older version 0.119.0 was never released too. You probably accidentally installed something unknown such as https://apkcombo.com/termux/com.termux/old-versions/0.119.1/.
As of now, the latest Git (bleeding-edge) version is 0.118: https://github.com/termux/termux-app/blob/eef5ac43a72f6391a5360a7c1f123e97dee85182/app/build.gradle#L44-L45. The version information is being hardcoded into APK file which is signed and become read-only after installation.
Again, never ever download Termux outside of F-Droid or our (!!!) GitHub page.
Some of fake Termux apps:
- https://termux.ru.uptodown.com/android/download
- https://5mod.ru/programmy/instrumenty/21510-termux-01191-mod-polnaja-versija.html
- https://www.playmods.net/apps/termux/com.termux
- https://appsgag.com/en/termux/details
- https://www.apktoy.com/termux/com.termux
- https://apkcombo.com/termux/com.termux/old-versions/0.119.1/
The list is not complete and shows that lots of third party application stores are not trustworthy.
Note: by "fake" Termux I mean the real Termux app that was compiled (modified + compiled) by unknown person.
One more thing: they used our test/debug signature key for making fake release. I've compared the certificate fingerprint with ours and it is basically same:
~/Download/D $ tail -n 3 com.termux-0.119.1-free/apktool.yml
versionInfo:
versionCode: '119'
versionName: 0.119.1
~/Download/D $ openssl pkcs7 -print_certs -inform der -outform pem -out cert.pem -in com.termux-0.119.1-free/original/META-INF/CERT.RSA
~/Download/D $ openssl x509 -fingerprint -in cert.pem -noout
SHA1 Fingerprint=51:79:55:EA:BF:69:FC:05:7C:41:C7:D3:79:DB:BC:EF:20:AD:85:F2
~/Download/D $
~/Download/D $ keytool -list -v -storepass xrj45yWGLbsO7W0v -keystore ~/Development/Termux/termux-app/app/testkey_untrusted.jks |& grep SHA1:
SHA1: 51:79:55:EA:BF:69:FC:05:7C:41:C7:D3:79:DB:BC:EF:20:AD:85:F2
As we publish our test key for use by contributors, everyone can use it for making builds compatible at signature level with our debug builds. So basically you can install fake Termux app over the real one as version upgrade. This security issue is mentioned in project README and we advice extra caution for users who use Termux from GitHub.
https://github.com/termux/termux-app#github:
Security warning: APK files on GitHub are signed with a test key that has been shared with community. This IS NOT an official developer key and everyone can use it to generate releases for own testing. Be very careful when using Termux GitHub builds obtained elsewhere except https://github.com/termux/termux-app. Everyone is able to use it to forge a malicious Termux update installable over the GitHub build. Think twice about installing Termux builds distributed via Telegram or other social media. If your device get caught by malware, we will not be able to help you.
Application version can't be changed on its own.
v0.119.1 was never released, the older version 0.119.0 was never released too. You probably accidentally installed something unknown such as https://apkcombo.com/termux/com.termux/old-versions/0.119.1/.
As of now, the latest Git (bleeding-edge) version is 0.118:
https://github.com/termux/termux-app/blob/eef5ac43a72f6391a5360a7c1f123e97dee85182/app/build.gradle#L44-L45
. The version information is being hardcoded into APK file which is signed and become read-only after installation. Again, never ever download Termux outside of F-Droid or our (!!!) GitHub page.
Some of fake Termux apps:
- https://termux.ru.uptodown.com/android/download
- https://5mod.ru/programmy/instrumenty/21510-termux-01191-mod-polnaja-versija.html
- https://www.playmods.net/apps/termux/com.termux
- https://appsgag.com/en/termux/details
- https://www.apktoy.com/termux/com.termux
- https://apkcombo.com/termux/com.termux/old-versions/0.119.1/
The list is not complete and shows that lots of third party application stores are not trustworthy.
Note: by "fake" Termux I mean the real Termux app that was compiled (modified + compiled) by unknown person.
One more thing: they used our test/debug signature key for making fake release. I've compared the certificate fingerprint with ours and it is basically same:
~/Download/D $ tail -n 3 com.termux-0.119.1-free/apktool.yml versionInfo: versionCode: '119' versionName: 0.119.1 ~/Download/D $ openssl pkcs7 -print_certs -inform der -outform pem -out cert.pem -in com.termux-0.119.1-free/original/META-INF/CERT.RSA ~/Download/D $ openssl x509 -fingerprint -in cert.pem -noout SHA1 Fingerprint=51:79:55:EA:BF:69:FC:05:7C:41:C7:D3:79:DB:BC:EF:20:AD:85:F2 ~/Download/D $ ~/Download/D $ keytool -list -v -storepass xrj45yWGLbsO7W0v -keystore ~/Development/Termux/termux-app/app/testkey_untrusted.jks |& grep SHA1: SHA1: 51:79:55:EA:BF:69:FC:05:7C:41:C7:D3:79:DB:BC:EF:20:AD:85:F2As we publish our test key for use by contributors, everyone can use it for making builds compatible at signature level with our debug builds. So basically you can install fake Termux app over the real one as version upgrade. This security issue is mentioned in project README and we advice extra caution for users who use Termux from GitHub.
https://github.com/termux/termux-app#github:
Security warning: APK files on GitHub are signed with a test key that has been shared with community. This IS NOT an official developer key and everyone can use it to generate releases for own testing. Be very careful when using Termux GitHub builds obtained elsewhere except https://github.com/termux/termux-app. Everyone is able to use it to forge a malicious Termux update installable over the GitHub build. Think twice about installing Termux builds distributed via Telegram or other social media. If your device get caught by malware, we will not be able to help you.
I don't what's the wrong with it btw can we change we change version of termux ?