Are Linux-based open source operating systems too rarely used to attract attacks from hackers? Conventional wisdom says yes, but Canonical‘s report this week of a security exploit against its new Ubuntu OS for phones suggests the mobile open source security scene may be more complicated.

Canonical reported on Oct. 15 that it had discovered a security vulnerability on Ubuntu Phone. This is the first such revelation since Ubuntu-based mobile devices hit the market in early 2015.

The vulnerability allowed attackers to gain root access to an Ubuntu-based phone’s operating system. It also modified the splash screen. It apparently exploited a previously unknown security flaw in the system that Ubuntu Phone uses to install applications.

The attack involved an application called test.mmrow, which was downloaded a grand total of 15 times, according to Canonical. That means it affected only a very small group of people. In addition, Canonical fixed the bug within hours of discovering it. So, as far as real-world security issues go, this one was not very serious.

What makes the bug notable, however, is that someone apparently took the time to write malicious code targeted at Ubuntu Phone even though very few people are presumably actually using Ubuntu Phone right now. Canonical has not released data on Ubuntu Phone adoption since the devices went on sale nearly a year ago, but there is no reason to believe that they represent more than an extremely small slice of the market as compared to Android- or iOS-based mobile devices.

Traditionally, Linux-based operating systems for the desktop haven’t suffered from many attacks. There have been some, yes, but because so few people use Linux for personal computing as compared to Windows or Mac OS X, there hasn’t been much motivation for hackers to write malicious code for Linux platforms.

Open source advocates also often contend that Linux has a better track record of security because open source code can be inspected by anyone to help find bugs before they’re exploited in the wild, and to make sure that what developers say about security features is actually true. Those advantages help, too.

In the case of the attack against Ubuntu Phone, both of these traditional open source security bulwarks apparently did not work. Neither the miniscule user base of Ubuntu Phone, nor the open nature of the platform’s code, prevented an attack.

This single case doesn’t mean large-scale attacks against open source mobile platforms are on the horizon. It may be a one-off phenomenon. Still, as something that diverges from the norm of open source security, it’s worth more than a passing glance.