Canonical is enacting manual reviews for all newly registered uploads to its Snap Store following what it describes as a ‘potential security incident’.
The company is responding to user reports that a couple of recently published crypto-related snaps were acting in a (likely) malicious manner (the apps in question have since been pulled, are no longer available to install, and dummy updates issued to affected users to replace them).
Now, this sounds dodgy, just as any security incident might.
But it’s important to note that although Canonical has announced this incident (and taken swift action to ameliorate the situation, much to their credit) its describes this as a ‘potential security incident’ (emphasis mine).
If you take anything away from me reporting on this incident — there will be those out there suggesting that by reporting it I’m trying to milk it for clicks or some such, so I want to be clear — let it be that this is still being looked in to.
That said, if you recently installed newly-added crypto ledger apps from the Snap Store (perhaps using the swanky new App Center in the Ubuntu 23.10 beta) you should look to see if the app is still listed. If it isn’t, it’s (likely) because it was suspected of being malicious.
Crypto Snap Shenanigans
This isn’t the first time the Snap Store has had issues with icky uploads. In 2018 an innocuous-sounding app hid a crypto-miner within, unbeknownst to users. Not disclosing this in the app description rendered it malware (Canonical later clarified to say crypto-miners are allowed so long as they’re disclosed).
In this instance it appears that, once again, crypto is involved – albeit to a more nefarious degree.
Several newly uploaded apps claimed to be official apps/tools for crypto ledger tool Ledger. These apps were presented as legit, asked users to input their backup codes (which people entered thinking it was safe to) and the bad actors were able to use the codes to extract funds.
At least one affected user claims to have lost a large amount of money as a result.
All app stores, on all platforms, are at risk of bad actors exploiting loopholes. As unfortunate as it is when skanky software slips through the net, it is rare (well, maybe not on Android ).
Based on what Canonical has said so far – and the actions they’ve taken – it does not seem like these malicious snaps were exploiting security holes within snaps, snapd, or the Snap Store infrastructure itself – which is a good thing.
Rather, as in 2018, it’s a dev doing icky things within the bounds of what’s possible.
Even on Linux it’s wise to be cautious about the software you install, where you install it from, and who has uploaded it. Where possible only use apps packaged by official maintainers or a trusted community source.
And if you see a ‘new big name app’ hit the Snap Store (and there’s no verified green tick beside the uploaded) go look for an official announcement on the project’s official website, or see if blogs (such as this one) have recently written about it.
Thanks Snap Diddy