Malware has been found hiding inside software on the Ubuntu Snap store.
A pair of (seemingly normal) apps hosted by the Canonical-backed app hub were discovered to contain a сryptocurrency miner disguised as the “systemd” daemon.
The affected apps also shipped an “init script” to auto-load the malicious code on boot and allow it to run in the background on affected systems.
Canonical says it has “removed all applications from this author pending further investigations” since learning of the flaw via a Github issue at the weekend.
Because the Snap Store doesn’t provide public facing install numbers for apps it holds it’s unclear how many Linux users have been affected by this “miner issue”, though it’s worth noting that both apps were only uploaded in late April.
Regardless of the exact figure it’s a given that many users will now be asking how this was allowed to happen in the first place.
Malware on Ubuntu Snap Store: Preventable?
The apps added a cryptocurrency mining script to users’ system without their knowledge
How it was possible for malware to find its way in to the Snap store and on to user’s systems?
Curious as to why the app added a system start-up script they checked it out and saw it was for a crypto-currency miner tool.
This canny user then duly checked another app uploaded to the Snap store by the same developer. And guess what? They found it also contained the same ByteCoin mining script, linked to the same e-mail address.
This situation marks the first major “security” issue in the Snappy packaging system. But although unwelcome this particular fail is not necessarily as frightening as it sounds at first, nor is is necessarily a fault with the Snappy format.
All apps uploaded the Snap store undergo automatic testing to ensure that they work and install correctly for users on multiple Linux distros.
Both apps were uploaded as proprietary software so their code was not available to check
However, Snap apps are not checked line-by-line for anything suspicious or out-of-the-ordinary. Therefore, under the current framework, there was simply no way to detect or prevent this “malware” from being bundled up with an app and made available on the Snap store.
Any theoretical pre-detection would’ve been hard to do given that both of the affected apps were uploaded as proprietary software. Their code was not available to check.
The crypto-currency miners in this instance can be considered malware because they weren’t mentioned in the store description and used system resources without permission or user knowledge for a task that wasn’t authorised.
That said, the mining scripts themselves don’t (seem to) do anything malicious to the system itself, e.g, harvest data, inject code, hijack browsers, etc.
Was this “malware” meant to be found?
It is possible that the app author in question wasn’t being intentionally malicious; given the lack of effort to disguise the malware (and the inclusion of a hardcoded email address mentioning a Ferrari) they may have been attempting to draw attention to a hole in the Snapcraft vetting model.
And if so, it’s worked.
Be Smart, And You’ll Stay Safe
Scared or worried about using Snap apps? Don’t be.
Although this bit of bundleware was distributed as a Snap it was not taking advantage of a Snap-specific flaw.
This issue stresses the importance of being cautious about where you install software from
The same Bytecoin miner could have be bundled up with an app and distributed through a PPA, an AppImage, an installer script shared on Github, and so on.
What this news does stress is the importance of being cautious about the kind of software you install, and the places you install it from.
Never assume that because an app is listed on a centralised app store like this Ubuntu one that it is free of issues or coming direct from the official maintainer.
Only ever install apps from sources, developers and repos that you trust. Where possible only use applications packaged by an official maintainer or a trusted community source.
Never idly install software from obscure sources, or run command scripts you haven’t vetted yourself.
And in the rare instance that you ever find something suspicious in a Linux app do what this awesome user did and let others know.