Malware Found In The Ubuntu Snap Store

Ubuntu Software Store

Oh, snap! Just because some packages are available to install directly from the Ubuntu Software Center doesn't make them safe. This is proved by a recent discovery of malware in some snap packages from the Ubuntu Snaps Store.

At least two of the snap packages, 2048buntu and Hextris, uploaded to the Ubuntu Snaps Store by user Nicolas, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations".

The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas) contains a hidden cryptocurrency miner inside.

The init script bundled with the snap package used the myfirstferrari@protonmail.com email address. I guess that's one way of getting a Ferrari... 🙂.

2048buntu ubuntu snap store

An interesting aspect is that Nicolas used a proprietary license for at least some of his snaps. For example, the 2048buntu snap was submitted as proprietary (the game itself was not developed by Nicolas). The game in question, 2048, uses a MIT license which permits distributing it as proprietary, without making the source code available, as long as the copyright notices are retained.

Side note: 2048buntu was removed from the Ubuntu Snap store but you can check out its page via Google Cache. But we can't see the package contents any more (unless it's on GitHub somewhere but I couldn't find it).

How was this possible? Well, the Ubuntu Snap Store allows anyone to upload snap packages, as opposed to packages (deb) available in the official Ubuntu repositories. The reason for this is to provide more easily installable packages to its users.

What's your opinion regarding this? Do you think more and more malware will be getting through to users by allowing anyone to upload packages to the Ubuntu Store, or was this an isolated incident?

Update: Canonical React To Ubuntu Snap Store Cryptocurrency Mining Malware.

News via Reddit (u/Kron4ek).