Drovorub malware threat detected

is this a threat PureOS users should be worried about?

1 Like

As far as I can see, this toolset is only relevant if your system has already been compromised. So, primarily, you should be avoiding that!

Worried? Maybe not. Paying attention? Yes. Keeping your computers up-to-date? Yes.

The advisory suggests, for partial mitigation, ensuring being at kernel 3.7 or later - but to be honest I don’t know how anyone could be running something that old?

1 Like

Lots of android devices are still 3.2… Centos 7 is 3.10, so just barely new enough.

1 Like

I had the same though today when I noticed this article in german: https://www.golem.de/news/malware-fbi-und-nsa-warnen-vor-russischem-linux-rootkit-2008-150264.html

For what it’s worth, PureBoot would allow you to detect rootkits like this, along with any others that modify the kernel or initrd.


That raises a fair question: What is the target hardware?

From the detailed technical analysis, it is clear that the target hardware being analysed by the ??? agencies is x86, not ARM. On the one hand, it is likely that kernel modules are specific to the CPU architecture. On the other hand, it doesn’t mean that there isn’t a parallel toolset for ARM, disclosed or undisclosed, known or unknown.

I wouldn’t think android users should be concerned unless they’ve rooted their phone. Or did I not read carefully enough?

The fundamental problem with not having root access to your phone is that is no guarantee that no one has root access to your phone. And note that the integrated broadband system can sideload a kernel-module rootkit, like Drovorub, without running anything on the main ARM cores, and with very little you can do to detect or thwart it.

1 Like

If by that you mean the cellular modem then it can do it OTA (Over The Air), to make this threat even worse and, yes, that would be well nigh undetectable. That’s probably what you are saying.

However there are things you can do to thwart it, and the L5 will be doing some of those.

1 Like

like isolating the black-box-modem from the main CPU/RAM ? :sweat_smile:

1 Like

I wouldn’t call that a “problem.” Else you could say that the fundamental problem with having root access to your phone is that it IS a guarantee that someone has root access to your phone.

If you have root access to your phone (and depending on the device, an unlocked bootloader), you can actually keep the kernel up to date, which means you can significantly reduce the number of outstanding CVEs which could be used by a rogue app to gain unauthorized root. Without full root access to your phone, you’re at the mercy of your phone OS provider to keep the kernel fully patched.

The cell phone vendors claim that they don’t let you have root access for security reasons, but that’s absurd on the face of it, for the above reason.


Yes, I mostly mean via OTA updates (but in theory, a cellular modem could look for attack payloads in the phone memory too). And yes, mitigating this attack vector is the primary benefit of the L5 and similar phones.

It’s a two-edged sword though.

If the normal user of the phone has sudo-like escalation rights then that opens up attacks whereby compromise of the user extends to compromise of the phone. Even without sudo the user may be successfully socially engineered.

So it comes down to

a) what is your threat model?
b) what is the least risk approach?

I am happy for the user to have the choice of having root access and for it to default to “no”.

One thing is certainly true … for Android phones where the propagation of fixes for even serious CVEs is at the mercy of a myriad of phone manufacturers … there must be a large number of unnecessarily vulnerable phones out there.

I don’t know that having root access is fixing the right problem in that scenario.

1 Like

If someone is vulnerable to social engineering attacks, they can give up their bank passwords, or otherwise have a very bad day, without root access.

Meanwhile, the inability to run standard Linux packages (a la apt-get install ...) means people have to pick which add-ridden alternative to use from the app store, which probably increases the exposure to social engineering attacks.

I provide tech support for a fair number of tech-illiterate people. With the exception of my grandparents (who get “help” from whomever is around), they all have root access. It makes it very easy for me to say “install anything you want from the package manager, it’s safe”. Of course, that goes hand-in-hand with snapshotting and backups, so that I can repair things for them if they do manage to break their system, but so far that hasn’t ever been needed (the gentoo package manager is very good at not suggesting you uninstall bash or similar system packages when you ask to install something… unlike my experience with debian-based distros).

1 Like