Malware Found in the Ubuntu Snap Store

There is no review process or central restrictions on who can upload to the Ubuntu Snap Store, so in a sense, this isn&#x27;t surprising. <a href="https:&#x2F;&#x2F;docs.snapcraft.io&#x2F;build-snaps&#x2F;publish" rel="nofollow">https:&#x2F;&#x2F;docs.snapcraft.io&#x2F;build-snaps&#x2F;publish</a><p>Does the name &quot;Ubuntu Snap Store&quot; carry a connotation that code is reviewed for malware by Ubuntu, the way that the Apple, Google, Amazon, etc. mobile app stores are? Or does its presence in the software center app imply a connotation that it&#x27;s endorsed by the OS vendor?<p>I was at a PyCon BoF earlier today about security where I learned that many developers - including experienced developers - believe that the presence of a package on the PyPI or npm package registries is some sort of indicator of quality&#x2F;review, and they&#x27;re surprised to learn that anyone can upload code to PyPI&#x2F;npm. One reason they believe this is that they&#x27;re hosted by the same organizations that provide the installer tools, so it feels like it&#x27;s from an official source. (And on the flip side, I was surprised to learn that Conda <i>does</i> do security review of things they include in their official repositories; I assumed Conda would work like pip in this regard.)<p>Whether or not people <i>should</i> believe this, it&#x27;s clear that they <i>do</i>. Is there something that the development communities can do to make it clearer that software in a certain repository is untrusted and unreviewed and we regard this as a feature? The developers above generally don&#x27;t believe that the presence of a package on GitHub, for instance, is an indicator of anything, largely because they know that they themselves can get code on GitHub. But we don&#x27;t really want people publishing hello-worlds to PyPI, npm, and so forth the way they would to GitHub as part of a tutorial, and the Ubuntu Snap Store is targeted at people who aren&#x27;t app developers at all.

The problem with snaps is that they didn&#x27;t take security really seriously on desktop: <a href="https:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;linux-expert-matthew-garrett-ubuntu-16-04s-new-snap-format-is-a-security-risk&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;linux-expert-matthew-garrett-u...</a><p>&gt;&quot;X has no real concept of different levels of application trust. Any application can register to receive keystrokes from any other application. Any application can inject fake key events into the input stream. An application that is otherwise confined by strong security policies can simply type into another window,&quot; he wrote.<p>They might have wrapped X protocol to provide more security and control. Instead they decided not to.<p>They might have created a system which is as bulletproof as on iOS where you can install any apps and be 99.9999% sure that they won&#x27;t steal your data unless you allow them to. But they created this instead.

<i>used a proprietary license</i><p>Does the license actually mention it mines? I am reminded of a lot of &quot;freemium&quot;&#x2F;&quot;ad-supported&quot;&#x2F;etc. software that makes its author money via ads or whatever else --- and you agree to that if you read the license --- and it is a bit shady to name the miner &#x27;systemd&#x27;, but it seems rather overboard to call this &quot;malware&quot;... when I see that term I think of software that self-propagates and exfiltrates personal data, delete&#x2F;encrypts files for ransom, etc.<p>Also from the page:<p><i>Size 138.8 MB</i><p>I&#x27;m not really familiar with the latest trends in (bloatware?) development, but a simple game like that taking &gt;100MB would make me suspicious --- even 10MB is in the &quot;questionable&quot; range, and ~1MB would be closer to what I consider &quot;typical&quot;. 138MB is bigger than the installed size of Firefox, and that&#x27;s a far more complex application...

A Monero miner is one of the more innocuous forms of malware ,compared to a C&amp;C trojan or a keylogger. Some websites will mine monero in the background. Because it&#x27;s just a js script, it&#x27;s not much different than a banner ad except it&#x27;s less intrusive, yet somehow &#x27;currency miner&#x27; has more negative connotations than &#x27;ad server&#x27;. That is the downside of decentralized mining and asic resistance is you end up with a lot of zombie miners.

Unlike flahub where either original develop or flathub admins take control<p>Canonical&#x27;s Snapcraft literally says &quot;Get published in minutes&quot;<p>Any random guy would publish his malware with near no review<p><a href="https:&#x2F;&#x2F;dashboard.snapcraft.io&#x2F;snaps&#x2F;" rel="nofollow">https:&#x2F;&#x2F;dashboard.snapcraft.io&#x2F;snaps&#x2F;</a><p>Yes, they maybe win the counter for published apps compared to flathub. Congratulations!

Whoa, I made Hextris (<a href="https:&#x2F;&#x2F;github.com&#x2F;hextris&#x2F;hextris" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;hextris&#x2F;hextris</a>, one of the games removed from the store) a few years ago! Is there any precedent in OSS developers being held responsible for misuse of their code?

This is exactly why you should not run random docker images and snaps. Docker images are also run as root in many cases. It is better to build app images from scratch and understand what exactly goes into the image.

It&#x27;s only a matter of time before some major successful linux system attack is delivered via snap&#x2F;flathub.<p>Distributions and their package maintainers serve an important role. In the interests of consuming more &amp; faster people seem to be ignoring that.<p>I wish we had enough resources in the free softare community for all software to be packaged and maintained in the distributions by independent parties unaffiliated with the creators as a rule.

This is the Snap distribution system working as intended with unfortunate consequences.

There is no review process for sandbox apps, the manual review is for apps with access system wide.

Can anyone clarify if this is a possibility for apt packages as well? As far as I understand, there are 4 types of apt repositories (for Ubuntu): Main, Universe, Restricted, Multiverse.<p>I guess Main is safe since it&#x27;s handled by Canonical, but the rest?<p>Moreover, a lot of installers simply add a custom repository to sources.list.<p>What are some good practices for a novice user, regarding apt?

I only get my packages from the central repos. I would be very wary of downloading snaps unless I knew exactly who was distributing them.<p>Repositories are why Linux repos are free of malware. With more snap-based packages being made available then we are going to see a lot more of this sort of thing.

Apple&#x27;s strategy for their store looks better and better every day.

Nice case study in why Arch types are adament that you should properly take the time to read your PKGBUILDs.

If you use snaps, be aware that they update automatically on their own. You have the option to set upgrade time windows but you cannot completely disable automatic updates and use your own custom solution to update and administer your system.<p>Discussion of this issue with snap developers here: <a href="https:&#x2F;&#x2F;forum.snapcraft.io&#x2F;t&#x2F;disabling-automatic-refresh-for-snap-from-store&#x2F;707" rel="nofollow">https:&#x2F;&#x2F;forum.snapcraft.io&#x2F;t&#x2F;disabling-automatic-refresh-for...</a>

It great to see that the community acts fast and educates others.

While this is obviously malicious, I think I would favour paying for things with a few CPU cycles, as long as it was voluntary and overt.<p>Want to read this article? Please click here to mine a cryptocoin for 30 seconds. Great, thanks! Here&#x27;s a cookie so we won&#x27;t ask you again to mine for a whole month.<p>I would much rather have this than being shamed into looking at ads. It always struck me as utterly bizarre to be told that not wanting to see ads is somehow immoral.

As someone who hasn&#x27;t yet used Ubuntu 18.04, is the snap store something I&#x27;ll be using in 5 years time instead of APT, is it just another attempt by Canonical to jump on the app store bandwagon, or is it something completely different?<p>Excuse my ignorance but I&#x27;m intensely suspicious of &quot;stores&quot; on open source operating systems.

Is there some workable way to just add rando user-requested distros (or, more importantly, Debian) to a PPA? Is there some alternate&#x2F;sane way to distribute packages for Gnu&#x2F;Linux without smothering my development process in molasses?<p>I don&#x27;t even mind creating a VM for <i>every single distro</i> a user requests, and doing a huge automated binary compilation fest for every release. The only thing I care about is that the software is distributed through channels which make it explicit that the current stable version is the <i>only</i> version I support.

It&#x27;s too bad there isn&#x27;t some sinister cabal of trusted individuals within the Ubuntu project that can review packages for quality and package them securely and in an auditable fashion.

I&#x27;ve had bad experiences with Snap.<p>I understand that with Snap devs have to bundle their own dependencies and take care of upgrading, which is bad if I understood correctly.<p>In my case, a few programs I had installed needed to be connected to other snaps, and they would suddenly stop working for no apparent reason. Only by trying to launch the misbehaving program from the command line I&#x27;d find out I had to update the connected program(s).<p>Has never happened to me with Apt, so my opinion so far is that installing .deb files is vastly superior, at the moment.

How does one figure out who a given snapcraft packager is? E.g. Sublime Text says it&#x27;s packaged by Snapcrafters. Who is that?

The risk here is not just going to the Snap Store. At least right now on Ubuntu 18.04 if you type a command that&#x27;s not installed but is provided by a Snap app, the shell suggests that you install the snap the way it suggested an apt command previously.

I&#x27;m not familiar with Ubuntu snap store, but how does it compare with Google play store in terms of security?<p>For example, do apps need to request permissions for accomplishing specific tasks, or is there any kind of sandboxing involved?

One need to take special care about snaps as they need to be a sandboxed gui apps. According to OMG ubuntu report this incident installed system services. And we know that snaps can ship even kernel modules.

Snaps was initially tooted as <i>the</i> bestest securest container based application solution by Canonical back then. It is impossible for the app the steal your data, they said. Because of &quot;secure encapsulation&quot; and such. So, that means that there is no need for a review process for uploads, just to make installing packages even <i>more</i> easier than it already is?<p>I&#x27;m sorry, Canonical and Ubuntu are the point were Open Source Software apparently breaks with its traditions. No review on binary blobs uploads most certainly made with OSS when marked &quot;proprietary&quot;? They are kidding, right?

Ubuntu 18.04 is horrible on this.<p>The default GUI package manager, &quot;Ubuntu Software&quot; shows up snap packages just like ordinary packages. It was uploaded by somebody who is not bright at the domain and badly configured for locale. It can only handle ASCII characters. Probably reviewed by nobody.

Can somebody explain the need for this new package management thingy when apt exists and works nicely? Why have 2 softwares to do the same thing.

&gt;For example, the 2048buntu snap was submitted as proprietary, so we can&#x27;t actually see the package contents, except for the init script which you can see above.<p>Unless the Snap Store uses some kind of DRM, I don&#x27;t see how that can be the case. Just install it and see the contents in your filesystem?

One more confirmation that Ubuntu cannot be recommended anymore.

&gt; Nicolas Tomb used a proprietary license for at least some of his snaps. For example, the 2048buntu snap was submitted as proprietary. The game in question, 2048, uses a MIT license<p>No! MIT is not a proprietary license!