Malware Found on the Ubuntu Snap Store

snap app editors picks

Snap apps can be installed from Ubuntu Software

Malware has been found hiding inside software on the Ubuntu Snap store.

A pair of (seemingly normal) apps available on the Snap store were discovered to contain a сryptocurrency miner disguising itself as the “systemd” daemon.

The affected apps also shipped an “init script” to auto-load the malicious code on boot and allow it to run in the background on affected system.

Canonical says it has “removed all applications from this author pending further investigations.”

Because the Snap Store doesn’t provide install numbers for apps it’s unclear how many Linux users have been affected by this “miner issue”.

But regardless of that figure it’s a given that more will be asking how this was allowed to happen in the first place.

Malware on Ubuntu Snap Store: Preventable?

The apps added a cryptocurrency mining script to users’ system without their knowledge

How it was possible for malware to find its way on to the Snap store?

The egregious code in question was first found by Github user ‘tarwirdur‘ in an app purporting to be a version of the popular 2048 game.

Having uncovered it one app app this canny user duly checked another app uploaded to the Snap store by the same developer. Et voila: they found it also contained the same ByteCoin mining script.

This situation marks the first major “security” issue in the Snappy packaging system. But although unwelcome this particular fail is not necessarily as frightening as it sounds at first, nor is is necessarily a fault with the Snappy format.

All apps uploaded the Snap store are undergo automatic testing to ensure that they will work and install correctly for users across multiple Linux distros.

Both apps were uploaded as proprietary software so their code was not available to check

However, Snap apps are not checked line-by-line for anything suspicious or out-of-the-ordinary. Under the current framework there was simply no way to detect or prevent this “malware” from being bundled with an app available on the Snap store.

The theoretical detection would’ve been hard to do anyhow as each of the affected apps were uploaded as proprietary software. Their code was not available to check line-by-line anyway.

Badware

The crypto-currency miners in this instance can be considered malware because they weren’t mentioned in the store description and used system resources without permission or user knowledge for a task that wasn’t authorised.

That said, the mining scripts themselves don’t (seem to) do anything malicious to the system itself, e.g, harvest data, inject code, hijack browsers, etc.

Was this “malware” meant to be found?

It is possible that the app author in question wasn’t being intentionally malicious; given the lack of effort to disguise the malware (and the inclusion of a hardcoded email address mentioning a Ferrari) they may have been attempting to draw attention to a hole in the Snapcraft vetting model.

And if so, it’s worked.

Be Smart, And You’ll Stay Safe

If this news has you scared or worried about using Snap apps, try to tlr..

Although this bit of bundle-ware was discovered in a Snap app it is not Snap-specific.

This issue stresses the importance of being cautious about where you install software from

The same Bytecoin miner could have be bundled up with an app and distributed through a PPA, an AppImage, an installer script shared on Github, and so on.

But this news does stress the importance of being cautious about the kind of software you install, and where you install it from. Never assume that because an app is listed on a centralised app store like the Snap Store that it is either free of issues or coming direct from the official maintainer.

Only ever install apps from sources, developers and repos that you trust. Where possible only use applications packaged by an official maintainer or a trusted community source.

Never idly install software from obscure sources, or run command scripts you haven’t vetted yourself.

And in the rare instance that you ever find something suspicious in a Linux app do what this awesome user did and let others know.

Reddit (via securityaffairs.co)

AdSense