Termux on Google Playstore is Very Suspicious (malicious recent update?)

:warning: The termux on Google Playstore MAY be compromised!
UPDATE: What is going on is explained here, [ANNOUNCEMENT] Response Regarding Google PlayStore App Updates #4000. Simply put, this is a botched attempt to revive termux on Playstore. The “new” 0.122 now on Playstore is actually a mis-versioned regression from the current v0.118.0 on F-Droid. DO NOT update/install from Playstore, as the regression reintroduces several security bugs fixed in F-Droid’s v0.118. As part of straightening out the mess, apparently there will be an update Sometime Very Soon on F-Droid.

What is going on with termux… F-Droid and Google Playstore are fighting, which is weird because termux, which is still listed at Playstore, is not updated there anymore.

I installed termux from Playstore soon after getting my FP3, then running whatever the first(?) FP3 Android version was (9 or 10, as I vaguely recall). The FP3 was not then and never has been rooted (that is, I never bothered to obtain superuser access). The FP3 is now running Android 13, and is fully up-to-date.

For years termux hasn’t auto-updated (as far as I can recall), but a few days ago, Playstore tried to auto-update termux… and failed (without, of course, hinting at any reason (fecking hide-everything Android!)). And continued to fail, even after rebooting the FP3.

Exasperated, I started looking into the matter, and found multiple warnings in the Review comments on Playstore that this latest termux is Very Suspicious. As one example of multiple Very Recent Reviews:

✗ Kyle Bear (June 8, 2024):
DO NOT INSTALL THIS APP. The official statement from Termux years ago was that development of the play store version would be halted, and it certainly has been. You can install via F-Droid or GitHub releases using the APK file. There has not been a posted release on GitHub, so the Play Store version would not be the same project. Not sure how this was hijacked, but it was blocked in my auto update thankfully, due to me having a version of termux that was signed/released with a different key.

Hence, I uninstalled the termux I had installed (don’t recall the version), which shut Playstore up (no more pending/failed update). I then installed the latest termux (v0.118.0) from F-Droid. Except… Playstore is again insisting it wants to install termux, allegedly an “0.122”, except that is not listed at GitHub https://github.com/termux/termux-app/releases where v0.118.0 is the latest.

So it seems the Playstore version is bogus… “hijacked” as per above warning.

My concern is if I leave the presumed-genuine F-Droid version installed, then the suspicious Playstore version will (eventually) overwrite it. I am aware the signatures should be different, which I understand will prevent an update (this may be what caused the original failure?). However, I do not know how to verify the signatures really are different and/or the Playstore version won’t install.

I have disabled auto-update for the presumed-bogus termux from Playstore, but it’s still in the queue of pending Playstore auto-updates, which makes me very Very Nervous.

(1) Other than un-installing termux again, How can I dequeue it?

(2) How can I safely(!) verify the Playstore version won’t overwrite the F-Droid version?

I have alerted Google the Playstore termux is Suspicious (but have not tried to contact the termux developers yet).

Long story short: As far as I know, this can’t happen because the keys of the app (playstore vs f-droid) cannot be the same. I am 90% sure about that.

Problem is, given the potential Risks of the suspicious Playstore “0.122” should it be installed, I am not of the mind that 90% certain is adequate. I used to work in Chip&Pin (Smartcard) security, and that seemingly-tiny 10% gap would probably be considered unacceptable (unless, simplified, both the cost-to-prevent and cost-to-exploit were very high). Here, I assume the cost-to-exploit is low (trick the user into installing it).

Whilst I was typing my initial question, an auto-update ran, updating several other apps. The suspicious termux was not updated (and also not marked as Failed-to-update), so I assume my precaution in disabling Playstore’s auto-update of termux worked.

(3) I have no idea what happens if I try a manual update.

(4) I also have no idea if the disabling of termux auto-updates is persistent (across reboots, as one of multiple examples).

The initial auto-update which started all this did Fail, repeatedly, which suggests the presumed-hijacker is using a different signature from the original Playstore developers. If so, then hopefully it is also a different signature from the genuine F-Droid, and Playstore (which knows the installed version is from F-Droid) still checks the signatures. (This does seem to happen in the opposite sense, F-Droid won’t overwrite a Playstore-installed app, presumably due to the signature checks.)

If you are not sure you can google it and ask an AI, to be “more” sure (EDIT for dummies: AI’s can give wrong results, websites can have wrong information) I have experience with fdroid vs ignored playstore-updates. It won’t update the app automatically if ignored BUT if you do a manual update (of all apps f.e.) it will ask if you also want to update “the ignored app termux” and you can decline. I was NEVER able to update ANY fdroid-app trough playstore due to the key-mismatch.

Ignored apps remain ignored until the playstore’s data is cleared, that I know for sure.

I heard about a magisk module that can detach apps entirely from the playstore (in case you have magisk installed), can’t look it up rn but a quick websearch should bring you there.

Off-topic: Ask an AI, to be sure of anything? Sorry, but that’s just gross negligence.

4 Likes

I assume you use Aurora and not official Play Store? I never see my F-Deoid Apps when updating playstore Apps and I just manual update Apps so even if it would show up, I could just not update. In Aurora you can set a Blacklist to exclude apps from updates thats what I did.

All I wanted to say is, if one want to be sure of anything, he has to do his own research or try it. Personally I always start with ChatGPT and double check with a websearch.

I thought it is obvious that one would not take an AI statemen or the information from any random searchresults on google for granted. Imo this is common sense, that’s why I worded my answer this way. I updated my post nontheless.

1 Like

See below for some info by the guy (u/formwall) who fouled that up, copied 1:1 from reddit (r/tasker).

Hope it helps.

Information about the Termux build on Google Play

Information about the build of Termux on Google Play is now available at: Termux on Play Store · GitHub

It contains some background and current status - I’ll also hang around here to answer questions below!

Some quick points:

  • Users that currently use F-Droid should continue doing so, and a F-Droid update in a few days will make sure that Google Play does not prompt to update away from the F-Droid build.

  • Really sorry about not being better at communicating up-front and causing confusion.

  • If you as a user want to try it out, check the above link for current limitations&issues and report issues at Sign in to GitHub · GitHub, as the issues may very well be specific to the Google Play build.

  • If you as a developer want to help out you’re very welcome to do so - check out the above link as well.

  • Termux on Google Play is IMHO something to be excited about, as it allows a lot of people who don’t have access to Linux or any computer at all (and can’t install it from outside of Google Play due to having devices locked down by carriers or work) to use it for work and education.

  • Last but certainly not least: Termux has been maintained by an awesome collection of open source developers and community members over the years - please consider donating to Termux - Open Collective or show appreciation in any other way possible!

2 Likes

Ah, interestingThanks! NO, I do not, having never heard of Aurora before. An admittedly quick check with/at F-Droid makes Aurora look very Very Interesting… perhaps I shall give it a try.

But that does lead to a question (and YES I have searched): How, on FP3 Android 13, does one completely disable Google’s Playstore app from all app auto-updating? In some previous Android version(s?), it was possible to adjusted the scheduled time for app auto-updates, which I now presume included “never”, but I’ve not been able to find that scheduling (or similar) functionality on FP3 Android 13. (I am presuming here I will leave Google’s Playstore app installed concurrently with Aurora, at least initially, but basically want Google’s app to go inert/benign, except perhaps for security scans, and hand the auto-updates completely over to Aurora.) What little I have found on this subject does not not match FP3 Android 13 at all.

YES. As per my UPDATE to my original post, what happened is (as per https://github.com/termux/termux-app/discussions/4000):

a botched attempt to revive termux on Playstore. The “new” 0.122 now on Playstore is actually a mis-versioned regression from the current v0.118.0 on F-Droid. DO NOT update/install from Playstore, as the regression reintroduces several security bugs fixed in F-Droid’s v0.118.

The termux app is a really useful tool, at least for people comfortable with Linux, but is (as per warnings at F-Droid) somewhat out-of-date for modern Android (v11(?) or so, and later), and has run apparently afoul of Google’s Playstore policies.

Both u/formwall and the other termux developers are working to unconfuse the mess. Part of this will be an update on F-Droid soon

It seems that whilst the “0.122” on Playstore is “compromised”, being a regression lacking several very important fixes in (F-Droid’s) v0.118.0, this situation is NEITHER a “hijack” NOR deliberately malicious.