AFWall+ erases dmesg log data every second (possible malware)

BillStoleMyShoes · July 12, 2019, 8:13am

I’m a sysadmin and security investigator who was brought a misbehaving phone under the belief that it had been infected by some kind of stealthy malware. It turns out is was AFWall+ as listed in F-Droid.

AFWall+ clears the contents of the linux kernel ring buffer/dmesg every one second. The code is literally “while true; do dmesg -c ; sleep 1 ; done”. This is apparently done as part of it’s log collection mechanism.

That has to violate some kind of policy against harming the rest of the system.

github.com/ukanth/afwall

Use /dev/kmsg instead of dmesg for logging if possible

opened 11:11PM - 30 May 18 UTC

closed 04:20PM - 06 Mar 21 UTC

lllusion3469

Since most `dmesg` implementations don't offer a `--follow` you are currently re…peatedly calling `dmesg -c` as a sort of workaround. This obviously works, but has a few issues: * every single second new `dmesg` and `sleep` processes are spawned * if you want to use `dmesg` for debugging, you're kind of screwed since you'll find it to be empty Obviously you'd only want it as an additional option, maybe not even the default: * it's Linux 3.5+ [(doc)](https://github.com/torvalds/linux/blob/master/Documentation/ABI/testing/dev-kmsg#L3) As a proof of concept that it, in fact, works: ```diff diff --git a/aFWall/src/main/java/dev/ukanth/ufirewall/service/LogService.java b/aFWall/src/main/java/dev/ukanth/ufirewall/service/LogService.java index 58ce0f83..ac054b91 100644 --- a/aFWall/src/main/java/dev/ukanth/ufirewall/service/LogService.java +++ b/aFWall/src/main/java/dev/ukanth/ufirewall/service/LogService.java @@ -221,17 +221,7 @@ public class LogService extends Service { } switch (G.logTarget()) { case "LOG": - switch (G.logDmsg()) { - case "OS": - logPath = "echo PID=$$ & while true; do dmesg -c ; sleep 1 ; done"; - break; - case "BX": - logPath = "echo PID=$$ & while true; do busybox dmesg -c ; sleep 1 ; done"; - break; - default: - logPath = "echo PID=$$ & while true; do dmesg -c ; sleep 1 ; done"; - } - + logPath = "echo PID=$$; exec awk 'BEGIN {FS=\";\"} /^[^ ]/ {print \"[0.0]\", $2}' < /dev/kmsg"; break; case "NFLOG": logPath = Api.getNflogPath(getApplicationContext()); ``` this uses `awk` to transform the `/dev/kmsg` format to something similar to what `dmesg` uses by: * ignoring lines starting with " " [(doc)](https://github.com/torvalds/linux/blob/master/Documentation/ABI/testing/dev-kmsg#L74) * splitting on ";" * appending the second field to "[0.0] " and printing it (the time is ignored anyways, I think) This kind of works at first on my Nexus 5x, LineageOS 15.1-20180528, Linux 3.10.73-g92a0599 (the toasts do show up), but I have a problem where: * when I close AFWall+, ~2 more processes are spawned (`ps -A | grep awk`) * when I try to open it again, it sometimes crashes after using 100% CPU and showing a gray screen for a few seconds * if it does open again, it spawns even more processes upon closing * e: oops, sh doesn't do job management (added `exec` to diff, still happens, though) One concern I have is that this would conflict with [`clearLog()`](https://github.com/ukanth/afwall/blob/b86695b570e155d162d0401476b38cef8c629193/aFWall/src/main/java/dev/ukanth/ufirewall/Api.java#L1252) but it doesn't seem to be used anywhere so I don't know what it's actually for. Implementation-wise: * using `awk` in this kind of way is kind of a hack and the alternative would be a lot more complicated, so I don't think I could do it since I know neither the codebase nor java * if `/dev/kmsg` exists, it should probably work * reading `/dev/kmsg` needs root on my Nexus 5x * it's what the coreutils `dmesg` uses instead of the `syslog(3)` syscall (busybox uses that one) * only the stuff after the ";" should be relevant for AFWall+ * it's guaranteed to block on reaching the end [(doc)](https://github.com/torvalds/linux/blob/master/Documentation/ABI/testing/dev-kmsg#L33) * would you treat it as an additional option in 'Preferences > Log > Log fetch method' or as something separate? * if you want to stick with this hack: * you could also use `sed -n 's_[^;]*;$.*$_[0.0] \1_p'` or maybe even `cut` somehow * you could still distinguish between system and busybox `awk`/`sed` * i you don't, I guess you'd use `cat /dev/kmsg` in the su shell and process it in java * `cat` should be offered by the system, right? * e2: killing and restarting it frequently would be suboptimal since it would start reading from the beginning every time and there's no easy way to `seek` [(doc)](https://github.com/torvalds/linux/blob/master/Documentation/ABI/testing/dev-kmsg#L50) in the shell If you don't want to implement this, maybe you could answer some of those questions, so I could maybe still try it.

github.com/ukanth/afwall

AFWall+ clears/erases the dmesg ring buffer every second, erasing valuable kernel log info

opened 04:05AM - 11 Jul 19 UTC

closed 07:07AM - 13 Mar 21 UTC

BlessDeix92

Bug

AFWall+ v3.1.0 on an old Samsung S5 Snapdragon (klte?) running Android 7.1/Linag…eOS 14 is erasing the dmesg kernel ring buffer every one second if the log service is enabled. This is something malware does to hide itself. I spent hours tracking down which app on this device was malware. Interestingly, I have this same version of AFWall+ installed on three other devices and they do not appear to be exhibiting this behavior. There may be something specific about the app configuration or a combination of other factors which induce this undesirable behavior. It's also noteworthy that toggling off the "Turn on log service" checkbox in preferences on this device does not take effect until the next system boot. This toggle will immediately activate the bad behavior, but not disable it. I am also under the impression that killing the AFWall+ service and uninstalling it (along with every other 3rd party app on the system) won't stop it until a reboot either. Unfortunately I don't have time to dig deeper into this right now. If/when I get time to do that I'll come back and update this bug with more information. I hope to be able to play around with it next week.

This is either some incredible negligence or malice given the number of alternatives to collect log data. Either way, this bug was reported, with a solution, over a year ago and the authors can’t be bothered to respond. Pulling the app from F-droid might get their attention.

Thanks.

uniqx · July 12, 2019, 11:36am

Just double-checked: the log service of AFWall+ is disabled by default. So this does affects only few users.

Seems they’ve fixed it in their beta branch LOS16: Better way to handle LogService · ukanth/afwall@f12771f · GitHub

nothing · July 14, 2019, 4:24am

The clearing loop is down below in a different file according to that diff.

system · September 12, 2019, 4:24am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.