Malware Found In The Ubuntu Snap Store

Ubuntu Software Store

Oh, snap! Just because some packages are available to install directly from the Ubuntu Software Center doesn't make them safe. This is proved by a recent discovery of malware in some snap packages from the Ubuntu Snaps Store.

At least two of the snap packages, 2048buntu and Hextris, uploaded to the Ubuntu Snaps Store by user Nicolas, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations".

The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas) contains a hidden cryptocurrency miner inside.

The init script bundled with the snap package used the myfirstferrari@protonmail.com email address. I guess that's one way of getting a Ferrari... 🙂.

2048buntu ubuntu snap store

An interesting aspect is that Nicolas used a proprietary license for at least some of his snaps. For example, the 2048buntu snap was submitted as proprietary (the game itself was not developed by Nicolas). The game in question, 2048, uses a MIT license which permits distributing it as proprietary, without making the source code available, as long as the copyright notices are retained.

Side note: 2048buntu was removed from the Ubuntu Snap store but you can check out its page via Google Cache. But we can't see the package contents any more (unless it's on GitHub somewhere but I couldn't find it).

How was this possible? Well, the Ubuntu Snap Store allows anyone to upload snap packages, as opposed to packages (deb) available in the official Ubuntu repositories. The reason for this is to provide more easily installable packages to its users.

What's your opinion regarding this? Do you think more and more malware will be getting through to users by allowing anyone to upload packages to the Ubuntu Store, or was this an isolated incident?

Update: Canonical React To Ubuntu Snap Store Cryptocurrency Mining Malware.

News via Reddit (u/Kron4ek).

13 comments:

  1. Conical doesn't care, they just like to brag about how many apps they have.

    ReplyDelete
  2. I'm not totally against letting anyone upload to the Ubuntu Store but it should ALL have source code available.

    ReplyDelete
  3. I have the same 2048 game on one of my android phones as a game build with kivy python. Now i see why the battery was draining so fast

    ReplyDelete
    Replies
    1. The game itself (its source) wasn't the culprit, but the snap package available on the Ubuntu Snaps Store.

      Delete
  4. this is why the AUR on Arch is a separate entity from the regular repos and even custom repos. The AUR has stuff from anyone but it's clear to everyone what the risks associated with it are and so people use it (hopefully) with caution.

    ReplyDelete
  5. Does this mean that malware can be found in Ubuntu repositories too?

    ReplyDelete
    Replies
    1. There is no reason to assume that, they remain heavily peer reviewed so extremely unlikely to contain anything like that.

      Delete
  6. There should be no non-free software in the ubuntu store. Period.

    ReplyDelete
    Replies
    1. That won't happen given Ubuntu already allows nonfree repositories to be used (even without snappy). I think you're best off just using a GNU-endorsed GNU/Linux distribution like Trisquel or gNewSense.

      Delete
    2. Having said that, if you would like change in the Ubuntu store then try creating a topic on https://community.ubuntu.com/ and for the snap store try creating a topic on https://forum.snapcraft.io/c/store . Nothing will change if you just complain on comments sections, however people may respond to what you think if you post on those forums, do give reasons why you think that there should be no non-free software on those stores, however.

      Delete
  7. sudo apt purge snapd

    is in my config for ubuntu

    ReplyDelete
  8. seriously, no one finds stange that a 2048 game could be 138.8 MB ? that's a Huge red flag no ?

    ReplyDelete
    Replies
    1. Snaps ship with system libraries, so all packages are quite large. The GIMP 2.10 snap for example has 213 MB: https://snapcraft.io/gimp

      Delete

Powered by Blogger.