This article was published on May 15, 2018

Canonical finds hidden crypto-miners in the Linux Snap app store

Someone's been sneaking crypto miners into the Snap store.


Canonical finds hidden crypto-miners in the Linux Snap app store

Last Friday, Canonical, the developer of the popular Ubuntu operating system and owner of the Snapcraft app store, spotted one application surreptitiously mining cryptocurrencies in the background.

In the blog post announcing the incident, Canonical deliberately avoided naming the app or the publisher.

Canonical said the publisher was uploading open-source software with licenses that allowed the inclusion of mining software. Itā€™s thererfore entirely possible that the original developer is unaware that their software had been monetized in this fashion.

The open-source company said that all snaps released by the publisher have been temporarily removed and will be re-uploaded without the malicious content by a ā€œtrusted party.ā€ Again, it declined to say who this would be.

This incident is a testing moment for Canonical. Snapcraft ā€” and the broader Snap project ā€” is a bold effort to change how package management works across the entire Linux ecosystem. Canonical has to convince a lot of people about its vision, and above all, itā€™s got to instill trust.

Itā€™s therefore unsurprising that Canonical has approached this issue with radical transparency. Not only has it fessed up to the problem, itā€™s also undertaken a refreshing amount of soul-searching about how it preserves the integrity of the Snapcraft app store, and whether cryptojacking could ever be considered a legitimate form of monetization.

Was the publisher doing anything wrong?

Canonical raises the question whether the publisher was doing anything wrong, pointing out that cryptomining isnā€™t actually illegal.

This was the argument put forward by the publisher. For what itā€™s worth, itā€™s a fair argument. ā€œCryptojackingā€ is a big business, and itā€™s no longer exclusively associated with the seedier parts of the internet, like porn and torrent sites.

A few months ago, popular alternative news site Salon said itā€™d use cryptojacking to monetize its visitors who have adblocking extensions installed. As the crypto market matures, and cryptojacking loses its stigma, you can expect others to follow.

Canonical rejected this argument, however, noting that users werenā€™t informed about the dual-purpose of the software they were downloading.

ā€œThere are no rules against mining cryptocurrencies, but misleading users is a problem,ā€ the company said.

Where does Canonical go from here?

This incident is arguably the first big test for Canonicalā€™s Snap initiative. In addressing this issue, Canonical has acknowledged its limitations.

Canonical wrote that all Snap packages go through ā€œautomated checkpointsā€ and manual reviews when an issue is flaged. This is par for the course with most app stores.

However, it notes that the ā€œinherent complexity of softwareā€ makes it impossible to go through every line of code with a fine-tooth comb.

ā€œNo institution can afford to review hundreds of thousands of incoming source code lines every single day,ā€ it wrote.

Canonical therefore argues that the best way to address the issue of bad actors on the Snap platform isnā€™t to focus on content, but rather on the origins of software.

With that in mind, it intends to launch a verified publishers program. This will work a bit like verification on Facebook and Twitter, and itā€™ll distinguish legitimate publishers from those masquerading as such. The details of this will announced soon.

Itā€™s also working on more technical approaches which it describes as ā€œmore gradual and less visible.ā€ These will place greater emphasis on isolating applications from the underlying system.

The Next Webā€™s 2018 conference is just a few days away, and itā€™ll be ??. Find out all about our tracks here.

Get the TNW newsletter

Get the most important tech news in your inbox each week.