Cryptocurrency Miner Discovered on the Ubuntu Snap Store

Share this…

Researchers found a hidden malware inside the software in the Ubuntu Snap store.

The information security experts found that two applications, which appeared to be normal, hosted by Canonical, contained a cryptocurrency miner disguised as the “systemd” daemon.

These affected applications sent a “start script” to automatically load the malicious code during startup and thus allow it to run in the background.


Canonical commented that it has “eliminated all the requests of this author pending further investigations.” Canonical learned of this error through a Github problem over the weekend, information security experts commented.

Snap Store does not provide public installation numbers for the applications it contains, because of this it is not clear how many Linux users have been affected by this problem, it is important to note that both applications were only loaded at the end of April. Now many users will wonder how this was allowed to happen in the first place.

The code was first found by a Github user ‘tarwirdur’ in an application that purported to be a version of the 2048 game. Upon realizing that the application added a system startup script, they reviewed it and found that it was for a cryptocurrency mining tool.

The information security expert duly verified another application loaded in the Snap store by the same developer. They found that it contained the same mining script ByteCoin, linked to the same email address.

This is the first major “security” problem in Snappy’s packaging system. This error is not necessarily as frightening as it seems at first, nor is it necessarily an error with the Snappy format.

The applications loaded in the Snap store go through automatic tests to ensure that they work and install correctly for users in Linux distributions, commented professionals.

Applications are not reviewed line by line to detect something suspicious or out of the ordinary. Therefore, there was simply no way to detect or prevent this malware.

The pre-detection would have been difficult given that both affected applications were loaded as proprietary software. Your code was not available to verify.

According to information security experts, cryptocurrency miners can be considered malware since they are not mentioned in the description and used system resources without permission or knowledge of the user for an unauthorized task.

It is likely that the author of the application was not intentionally malicious; given the lack of effort to disguise the malware, they may have been trying to draw attention to vulnerability in Snapcraft’s research model. Even though this bundleware package was distributed as a Snap, it did not take advantage of a specific Snap defect.

The Bytecoin miner could have been included with an application and distributed through a PPA, an AppImage, a shared installer script on Github, and so on, said information security researchers.

We must be cautious about the type of software that it installs and the places where it is installed. Install applications only from sources, developers and repositories that you trust. Only use applications packaged by an official maintainer or a reliable source.