AFWall+ erases dmesg log data every second (possible malware)

I’m a sysadmin and security investigator who was brought a misbehaving phone under the belief that it had been infected by some kind of stealthy malware. It turns out is was AFWall+ as listed in F-Droid.

AFWall+ clears the contents of the linux kernel ring buffer/dmesg every one second. The code is literally “while true; do dmesg -c ; sleep 1 ; done”. This is apparently done as part of it’s log collection mechanism.

That has to violate some kind of policy against harming the rest of the system.


This is either some incredible negligence or malice given the number of alternatives to collect log data. Either way, this bug was reported, with a solution, over a year ago and the authors can’t be bothered to respond. Pulling the app from F-droid might get their attention.

Thanks.

Just double-checked: the log service of AFWall+ is disabled by default. So this does affects only few users.

Seems they’ve fixed it in their beta branch https://github.com/ukanth/afwall/commit/f12771fe02eff2bac0edc6fa27a3fad988f347e8#diff-36a1a0a7e0cdbea04431ef006c107b1aL228

1 Like

The clearing loop is down below in a different file according to that diff.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.