Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Found In the Ubuntu Snap Store (linuxuprising.com)

Posted by BeauHD on from the where-there's-a-will-there's-a-way dept.

An anonymous reader quotes a report from Linux Uprising: Oh, snap! Just because some packages are available to install directly from the Ubuntu Software Center doesn't make them safe. This is proved by a recent discovery of malware in some snap packages from the Ubuntu Snaps Store.

At least two of the snap packages, 2048buntu and hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, "pending further investigations." The report comes from a bug which mentions that the 2048buntu snap package (and other packages by Nicolas Tomb) contains a hidden cryptocurrency miner inside.

3 of 90 comments (clear)

  1. Snaps are impossible to verify by Anonymous Coward · · Score: 5, Insightful

    With all dependencies built in, there is a lot to comb through, not to mention that those dependencies may not even be completely patched and up to date.

    I'd rather install software the traditional way and be sure that each component I install is verified.

  2. O'rly! by Anonymous Coward · · Score: 5, Insightful

    How's this surprising. These containerized applications are full userland stacks, all the libs and dependencies the program needs, and then some, wrapped up. It's so easy to hide malware there, and so very difficult to audit them before inclusion, because their very raison d'etre is --- to avoid maintainership and allow "third party" vendors to distribute their mini-distros around.

    Is anyone REALLY surprised by this?

  3. It's a general problem by Casandro · · Score: 4, Insightful

    Essentially you need to keep a separation between code and data. Data is something you can get from any source as dubious data will never be able to breach the security.

    Code on the other hand are commands for your computer. Every new code you get onto your computer is a risk you take as it can be malevolent. Therefore you shouldn't take executing foreign code lightly. Ideally you only have your fixed set of programs which you can combine to use with data you get from everywhere.

    Things like AppStores pervert that safety precaution. They act as if it was possible to have a secure system, yet download software written by dubious developers.
    Sadly, we as a society seem to fall into the same trap over and over again, from Javascript to Active X. From Visual Basic for Applications to Appstores.