Malware Found In The Ubuntu Snap Store

Ubuntu Software Store

Oh, snap! Just because some packages are available to install directly from the Ubuntu Software Center doesn't make them safe. This is proved by a recent discovery of malware in some snap packages from the Ubuntu Snaps Store.

At least two of the snap packages, 2048buntu and Hextris, uploaded to the Ubuntu Snaps Store by user Nicolas, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations".

The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas) contains a hidden cryptocurrency miner inside.

The init script bundled with the snap package used the myfirstferrari@protonmail.com email address. I guess that's one way of getting a Ferrari... 🙂.

2048buntu ubuntu snap store

An interesting aspect is that Nicolas used a proprietary license for at least some of his snaps. For example, the 2048buntu snap was submitted as proprietary (the game itself was not developed by Nicolas). The game in question, 2048, uses a MIT license which permits distributing it as proprietary, without making the source code available, as long as the copyright notices are retained.

Side note: 2048buntu was removed from the Ubuntu Snap store but you can check out its page via Google Cache. But we can't see the package contents any more (unless it's on GitHub somewhere but I couldn't find it).

How was this possible? Well, the Ubuntu Snap Store allows anyone to upload snap packages, as opposed to packages (deb) available in the official Ubuntu repositories. The reason for this is to provide more easily installable packages to its users.

What's your opinion regarding this? Do you think more and more malware will be getting through to users by allowing anyone to upload packages to the Ubuntu Store, or was this an isolated incident?

Update: Canonical React To Ubuntu Snap Store Cryptocurrency Mining Malware.

News via Reddit (u/Kron4ek).

15 comments:

  1. Conical doesn't care, they just like to brag about how many apps they have.

    ReplyDelete
  2. I'm not totally against letting anyone upload to the Ubuntu Store but it should ALL have source code available.

    ReplyDelete
  3. I have the same 2048 game on one of my android phones as a game build with kivy python. Now i see why the battery was draining so fast

    ReplyDelete
    Replies
    1. The game itself (its source) wasn't the culprit, but the snap package available on the Ubuntu Snaps Store.

      Delete
  4. this is why the AUR on Arch is a separate entity from the regular repos and even custom repos. The AUR has stuff from anyone but it's clear to everyone what the risks associated with it are and so people use it (hopefully) with caution.

    ReplyDelete
  5. Does this mean that malware can be found in Ubuntu repositories too?

    ReplyDelete
    Replies
    1. There is no reason to assume that, they remain heavily peer reviewed so extremely unlikely to contain anything like that.

      Delete
  6. There should be no non-free software in the ubuntu store. Period.

    ReplyDelete
    Replies
    1. That won't happen given Ubuntu already allows nonfree repositories to be used (even without snappy). I think you're best off just using a GNU-endorsed GNU/Linux distribution like Trisquel or gNewSense.

      Delete
    2. Having said that, if you would like change in the Ubuntu store then try creating a topic on https://community.ubuntu.com/ and for the snap store try creating a topic on https://forum.snapcraft.io/c/store . Nothing will change if you just complain on comments sections, however people may respond to what you think if you post on those forums, do give reasons why you think that there should be no non-free software on those stores, however.

      Delete
  7. sudo apt purge snapd

    is in my config for ubuntu

    ReplyDelete
  8. seriously, no one finds stange that a 2048 game could be 138.8 MB ? that's a Huge red flag no ?

    ReplyDelete
    Replies
    1. Snaps ship with system libraries, so all packages are quite large. The GIMP 2.10 snap for example has 213 MB: https://snapcraft.io/gimp

      Delete
  9. Ads I see it. I have two gaming consoles to play games on...so I don't see a need to have games on my laptops / PC's. That being said, I also don't just install something because it got a mention on a tech-site. Since I'm trying to learn programming, my machines are designed for that purpose, I also listen to music that I stream through Banshee or RhythmBox but no silly apps that help me track the time I spend on the PC, (uhh...hello?...that's what the TIME in the system tray is for?...) and no dumb apps that will stream news feeds on my desktop...no widgets of unknown origin...nothing. I moved away from Windows to PREVENT getting "infected" with something I didn't want (I believe Windows calls them PUP's?...P-otentially U-nwanted P-rograms) and even though I don't mind installing SOME apps that don't come with a plain vanilla install? I'm not bogging down my PC's with stuff I won't need to use ever. So in hindsight I guess if you're just a bit more selective in what you install, and WHERE you install it from?...you should be ok. As for Ubuntu?...well this is why I use Fedora....OpenSuSE....CEntOS and Scientific Linux!

    ReplyDelete
  10. "Well, the Ubuntu Snap Store allows anyone to upload snap packages, as opposed to packages (deb) available in the official Ubuntu repositories. The reason for this is to provide more easily installable packages to its users."

    How is hiding and not checking content more easy for users? Was Synaptic not enough easy? Too flat learning curve? No, nothing to do with users. Canonical has taken bad decisions and is going same route as Windows 95 (95-98ish) started by obscuring what happens where and Windows 10 ended with just blatant misuse of your data. Snaps are somewhere in the middle of this process. I am a user and I do not need same packages packed again and again without clear overview what is used, what is going on inside. And no, I have not experienced any dependency hell in the last 10 years, it just works, people have been working hard for it to work. And it does. So, thank you, no snaps for me.

    ReplyDelete

Powered by Blogger.