Canonical is enacting manual reviews for all newly registered uploads to its Snap Store following what it describes as a ‘potential security incident’.
It’s responding to reports that a number of recently published crypto-related snaps were acting in malicious manner (the apps in question have since been pulled and are no longer available to install).
Now, this sounds dodgy – as any security incident might.
But it’s important to note that while Canonical has announced this incident (and taken swift action to ameliorate the situation, to their credit) they describe it as a ‘potential security incident’ (emphasis mine). I.e. they’re still looking into things.
If you take anything away from me reporting on this incident – there will be those out there suggesting that by reporting it I’m trying to milk it for clicks or some such, so I want to be clear – let it be that.
So if you have recently installed any newly-added crypto ledger apps from the Snap Store (perhaps using the swanky new App Center in the Ubuntu 23.10 beta) you may want to check if the app is still listed. If it isn’t, it may mean it’s been been pulled as it was among those suspected of being malicious.
This isn’t the first time the Snap Store has had issues with icky uploads. In 2018 an innocuous-sounding app hid crypto-mining capabilities unbeknownst to users. Not disclosing this in its description rendered it malware (Canonical later clarified to say crypto-miners are allowed so long as they’re disclosed).
In this instance it appears that folks have uploaded apps purporting to be official apps/tools for crypto ledger tool Ledger and these apps were able to get folks backups codes (which people enter thinking it’s legit) and …the bad actors can use that to extract funds.
Thing is, all app stores, on all platforms, are at risk of bad actors exploiting loopholes, and as unfortunate as it is when things slip through the net, it is rare (maybe not on Android ).
Based on what Canonical has said so far – and the actions they’ve taken – it doesn’t seem like these malicious snaps were exploiting security holes within snaps, snapd, or the Snap Store infrastructure itself – which is a good thing.
Rather, as in 2018, it’s a dev doing icky things within the bounds of what’s possible.
What this news should do is underline the importance of always being cautious about the software you install, where you install it from, and who has uploaded it. Where possible only use apps packaged by official maintainers or a trusted community member
And it’s a ‘new big name app’ hitting the Store always look for an official announcement, or a link on the official website, or even see if blogs (such as this one) have recently written about it!
Thanks Snap Diddy