Malware in the Snap Store!

As seen on Reddit here:

It was discovered that someone was uploading apps with a crypto currency miner. The user had had their uploads removed already. My question is, is there any way to know which apps he infected so I can check my system? Was Discord one of those he put up?

4 Likes

I do not know if the data they say in Reedit is true, but it would be good if the directors of Mate pronounced on the veracity of that and if it is true we would need a list of apps from this developer.

2 Likes

Hallo

There is a saying, ā€œthere is nothing new under the sunā€.

Think about that for a moment.

I would advise running a commercial ā€œanti-virusā€ on any client computer, including GNU/Linux. I do.

Sadly, there are, and always have been so it would seem, human beings who are prepared to prey upon their own species. But we do not have to make it easy for themā€¦ :penguin: :mag: :warning:

1 Like

Hi all,

not sure how effective this is to search for installed snap packages (I haven't tried it yet as I'm busy):

Thanks for the heads-up @bornagainpenguin. :thumbsup:

Edit: I did a search and only have the following packages installed!:

3 Likes

Malware app was removed from Snap Store - see bug report at Github. But it can happen again.

This problem means that packages need to be checked with antivirus and moderated. We canā€™t trust all these third-parties.

I have removed Snap functionality from all my machines with sudo apt purge snapd just after installation.

5 Likes

Thank you!

I just checked and none of the snaps I had installed were made by Nicolas Tomb, so Iā€™m safe from this one. I think we may need to reconsider snaps though if thereā€™s this little oversight on them. Wow. I never thought Iā€™d see the day when I was worried about malware on Linux as something other than theoretical.

2 Likes

Thatā€™s maybe a bit extreme - after all, there are official snaps as well, some of them even preinstalled in recent versions of UM.
As long as you donā€™t install any dodgy snaps yourself you should be fine.

2 Likes

Could you post a list of the dodgy ones so I can avoid them please?

1 Like

Just stick with the one that come with the system, and e.g. if a reputable project like GIMP or VLC publish their own official snaps those should probably be OK too.

1 Like

If this is really the advice we're supposed to be following I think I'd rather have repositories back. Those at least make sense, don't clutter my home folder and I don't have to hunt and search the net for the "official" snaps. Having to do all that doesn't strike me as an improvement--it feels like a step back just when the whole world has finally seen the benefits of app stores and central installers.

3 Likes

While I donā€™t think the concept of snaps is all bad, I have to agree that the ā€œappstoreā€ distribution model has a tendency to attract all those who want to make a quick buck by less than legitimate means.
If you offer something like that you better make sure you have the resources to tightly police what gets in there, and even then occasionally something slips through.
Canonical might just have underestimated that aspect, I thinkā€¦

Btw. this is one of the reasons I prefer the curated approach of the Software Boutique.

1 Like

Only if there is no curation and management.

People are used to app stores from their mobile devices now, which is why I used the term ā€˜app storeā€™ when I meant repositories and central installer.

Truthfully weā€™ve been very fortunate that this sort of thing never happened with PPAs in the past but at least with those there was a clear separation of official and unofficial packages. Snaps youā€™re supposed to type in an application name and install. PPAs you manually add repositories and update to add outside packages.

I donā€™t see the benefit in playing hunt for the package or having to trust random packages with no way to vet them and clearly no vetting has been done by Ubuntu. All Iā€™m seeing are negatives. This looks like a serious regression to walk away from the superior method of maintained central repositories with a single installer application just as that model arrives to the rest of the computing world.

Agreed! More curation is needed, not less!

1 Like

@Wimpy Considering Mark Shuttleworth announced that the 18.10 release cycle would focus mainly on security, making sure no malware ends up in the Snap store is something Canonical should have on the agenda as well.

I donā€™t think the idea was people trusting the new and shiny snap system less than your average PPAā€¦ :wink:

5 Likes

The saying was written by King Solomon in Ecclesiastes 1:9

What has been is what will be,
and what has been done is what will be done,
and there is nothing new under the sun.

Well stated and unfortunately a true statement. Humanity has always been itā€™s own worst enemy.

We should not really be surprised that someone would try to take advantage of Snap packaging, or Flatpakā€™s for that matter, in this way. Itā€™s a relatively new concept to application distribution for Linux, and the full implementation of it has not been realized yet. As such it is a attractive target for those with malicious intents.

When Apple first opened their ā€œApp Storeā€, similar things happened. Today the apps in their App Store has a digital signature, but the ability to install software that has not been signed exist in OS X. For obvious reasons of course.

The thing that bothers me most about Snap packages is their ability to update with out our consent. I never have been, and never will be a fan of automatic updates, regardless of what operating system Iā€™m using. We should have the ability to know what is going to be installed on our operating systems, prior to it being installed, and then have the ability to either allow or deny the installation or update.

4 Likes

Hi all,

both @bornagainpenguin and @maximuscore make a point about snaps in the repoā€™s, arenā€™t all our snaps (the ones currently available to us) done via the Ubuntu repoā€™s?. If we choose to download snaps from the web, the same security procedures must be implemented and the download source checked and scanned before install, I know it is hard to do some times but remember, ā€œTrust no oneā€!. :smiley:

2 Likes

I am not fully understanding this. Does this mean the snaps ecosystem is inherently less secure than what has gone before?

1 Like

not necessarily, it just means that it is currently not nearly as carefully checked as the repositories, because with ubuntu repositories you mostly have both debian AND ubuntu devs going over them, they perhaps need a way of peer reviewing like in the AUR (or thats how I understand the AUR works)

So, if thatā€™s true, the next question is why the Snaps system is not as carefully vetted?

4 Likes

It has also been reported on OMG Ubuntu now!:

https://www.omgubuntu.co.uk/2018/05/ubuntu-snap-malware :smiley:

1 Like

Iā€™m just guessing that it is not as well vetted because they do not have enough developers interested to do the work, as well as the app store model where anybody can create something and upload it, I understand the Google Play store has had a good deal of issues with malware to, itā€™s probably just not the best model for security, however it is a good model for getting a lot of apps to your system, honestly though Canonical should probably just hire a couple more people that know what they are doing to go over every app that comes into the store and just randomly go over apps already in the store as they have time to make sure no one inserts malware through an update to their snap

2 Likes