Canonical finds hidden crypto-miners in the Linux Snap app store

Last Friday, Canonical, the developer of the popular Ubuntu operating system and owner of the Snapcraft app store, spotted one application surreptitiously mining cryptocurrencies in the background.

In the blog post announcing the incident, Canonical deliberately avoided naming the app or the publisher.

Canonical said the publisher was uploading open-source software with licenses that allowed the inclusion of mining software. It’s thererfore entirely possible that the original developer is unaware that their software had been monetized in this fashion.

The open-source company said that all snaps released by the publisher have been temporarily removed and will be re-uploaded without the malicious content by a “trusted party.” Again, it declined to say who this would be.

This incident is a testing moment for Canonical. Snapcraft — and the broader Snap project — is a bold effort to change how package management works across the entire Linux ecosystem. Canonical has to convince a lot of people about its vision, and above all, it’s got to instill trust.

It’s therefore unsurprising that Canonical has approached this issue with radical transparency. Not only has it fessed up to the problem, it’s also undertaken a refreshing amount of soul-searching about how it preserves the integrity of the Snapcraft app store, and whether cryptojacking could ever be considered a legitimate form of monetization.

Was the publisher doing anything wrong?

Canonical raises the question whether the publisher was doing anything wrong, pointing out that cryptomining isn’t actually illegal.

This was the argument put forward by the publisher. For what it’s worth, it’s a fair argument. “Cryptojacking” is a big business, and it’s no longer exclusively associated with the seedier parts of the internet, like porn and torrent sites.

A few months ago, popular alternative news site Salon said it’d use cryptojacking to monetize its visitors who have adblocking extensions installed. As the crypto market matures, and cryptojacking loses its stigma, you can expect others to follow.

Canonical rejected this argument, however, noting that users weren’t informed about the dual-purpose of the software they were downloading.

“There are no rules against mining cryptocurrencies, but misleading users is a problem,” the company said.

Where does Canonical go from here?

This incident is arguably the first big test for Canonical’s Snap initiative. In addressing this issue, Canonical has acknowledged its limitations.

Canonical wrote that all Snap packages go through “automated checkpoints” and manual reviews when an issue is flaged. This is par for the course with most app stores.

However, it notes that the “inherent complexity of software” makes it impossible to go through every line of code with a fine-tooth comb.

“No institution can afford to review hundreds of thousands of incoming source code lines every single day,” it wrote.

Canonical therefore argues that the best way to address the issue of bad actors on the Snap platform isn’t to focus on content, but rather on the origins of software.

With that in mind, it intends to launch a verified publishers program. This will work a bit like verification on Facebook and Twitter, and it’ll distinguish legitimate publishers from those masquerading as such. The details of this will announced soon.

It’s also working on more technical approaches which it describes as “more gradual and less visible.” These will place greater emphasis on isolating applications from the underlying system.

The Next Web’s 2018 conference is just a few days away, and it’ll be ??. Find out all about our tracks here.