Snap Store, a centralized application repository for distributing snap packages operated by Canonical, allows developers to publish applications with relatively low barriers to entry, while users can install and update software automatically through a single trusted channel. However, that trust is now under strain.
In a blog post, Alan Pope, a longtime Ubuntu community figure and former Canonical employee who remains an active Snap publisher, maintaining nearly 50 snaps with thousands of users, warns of a worrying trend affecting Snap packages. Here’s what it’s all about.
For more than a year, Pope and other security professionals have documented a persistent campaign of malicious snaps impersonating cryptocurrency wallet applications. These fake apps typically mimic well-known projects such as Exodus, Ledger Live, or Trust Wallet, prompting users to enter wallet recovery phrases, which are then transmitted to attackers, resulting in drained funds.
Sure is a good thing Ubuntu doesn’t sometimes sneakily install a Snap when you try to use
aptto install a package, such as with Firefox. Tricking users into using Snap without realizing it, making them unknowingly vulnerable to exploits like this, would be really really bad and unethical on Canonical’s part.Tricking users into using Snap without realizing it, making them unknowingly vulnerable to exploits like this, would be really really bad and unethical on Canonical’s part.
That is not what is happening at all.
Just so nobody is confused or gets afraid of their install: Getting the Firefox snap installed via Ubuntus apt package does not make users vulnerable to what is talked about here and is just as safe as the apt package version. For Firefox snaps might even be safer since you will probably get security patches earlier than with apt upgrades and get some sandboxing. In both cases you are pulling signed binaries from Canonical servers.
The post is about third-party fake snaps. If you run a snap install command from a random web site or LLM wkthout checking it, or making a typo, then you are at risk. If Ubuntu didnt have snaps, this would be malicious flatpaks. If Ubuntu didnt have flatpaks, it would be malicious PPAs. And so on. Whatever hosted resource gets widely popular and allows users to blindly run and install software from third-parties will be abused for malware, phishing, typosquatting and so on. This is not the fault of the host. You can have access to all the apps out there you may ever want or you can safely install all your apps from one trusted source. But it’s an illusion that you can never have both.
People have opinions about if snaps are a good idea or not and thats fine but there shouldnt be FUD. If you are using Canonicals official snaps and are happy with them you dont have to switch.
I’d say NixOS is safe from this but that’s probably not true. (Malicious nixpkgs derivations haven’t happened yet AFAIK). However, GUIX almost certainly is safe from this for now due to their “build the world from source” philosophy coupled with their obscurity.
Except if you use a third-party channel for some software, in which case you get all the same problems again.
I one time got an E-mail claiming my computer had been hacked and they’d installed monitoring software in my root/system location and I was like, “In my
/gnu/store? Doubtful…”If the attacker controlled the domain wouldnt they control the source?
Yes. But content-addressed derivations go a long way toward mitigating that attack vector, IMO. Not sure how far along GUIX is in ca, though. So perhaps it’ll help nixpkgs to have a sandboxed machine that generates hashes for that.
I only use flatpaks now days, but I’m we should still be careful.
Everything in there is relevant and applies to flatpaks too. Being aware of the risks is important when using alternative distribution methods. With power, responsibility.
That one was to counterbalance the pattern of good news I mentioned in another thread >.<
