The termux on Google Playstore MAY be compromised!
UPDATE: What is going on is explained here, [ANNOUNCEMENT] Response Regarding Google PlayStore App Updates #4000. Simply put, this is a botched attempt to revive termux on Playstore. The “new” 0.122 now on Playstore is actually a mis-versioned regression from the current v0.118.0 on F-Droid. DO NOT update/install from Playstore, as the regression reintroduces several security bugs fixed in F-Droid’s v0.118.0. As part of straightening out the mess, apparently there will be an update Sometime Very Soon on F-Droid.
UPDATE 2 (2nd-July-2024): For at least a week, v0.118.1 is now on F-Droid, and solves the duelling repositories problem. A few other issues are also fixed. (There is also a v0.119-beta.)
What is going on with termux… F-Droid and Google Playstore are fighting, which is weird because termux, which is still listed at Playstore, is not updated there anymore.
I installed termux from Playstore soon after getting my FP3, then running whatever the first(?) FP3 Android version was (9 or 10, as I vaguely recall). The FP3 was not then and never has been rooted (that is, I never bothered to obtain superuser access). The FP3 is now running Android 13, and is fully up-to-date.
For years termux hasn’t auto-updated (as far as I can recall), but a few days ago, Playstore tried to auto-update termux… and failed (without, of course, hinting at any reason (fecking hide-everything Android!)). And continued to fail, even after rebooting the FP3.
Exasperated, I started looking into the matter, and found multiple warnings in the Review comments on Playstore that this latest termux is Very Suspicious. As one example of multiple Very Recent Reviews:
✗ Kyle Bear (June 8, 2024):
DO NOT INSTALL THIS APP. The official statement from Termux years ago was that development of the play store version would be halted, and it certainly has been. You can install via F-Droid or GitHub releases using the APK file. There has not been a posted release on GitHub, so the Play Store version would not be the same project. Not sure how this was hijacked, but it was blocked in my auto update thankfully, due to me having a version of termux that was signed/released with a different key.
Hence, I uninstalled the termux I had installed (don’t recall the version), which shut Playstore up (no more pending/failed update). I then installed the latest termux (v0.118.0) from F-Droid. Except… Playstore is again insisting it wants to install termux, allegedly an “0.122”, except that is not listed at GitHub https://github.com/termux/termux-app/releases where v0.118.0 is the latest.
So it seems the Playstore version is bogus… “hijacked” as per above warning.
My concern is if I leave the presumed-genuine F-Droid version installed, then the suspicious Playstore version will (eventually) overwrite it. I am aware the signatures should be different, which I understand will prevent an update (this may be what caused the original failure?). However, I do not know how to verify the signatures really are different and/or the Playstore version won’t install.
I have disabled auto-update for the presumed-bogus termux from Playstore, but it’s still in the queue of pending Playstore auto-updates, which makes me very Very Nervous.
(1) Other than un-installing termux again, How can I dequeue it?
(2) How can I safely(!) verify the Playstore version won’t overwrite the F-Droid version?
I have alerted Google the Playstore termux is Suspicious (but have not tried to contact the termux developers yet).