Action against snap store malware

A note from someone claiming to be the malware developer91 on OMG! Ubuntu!89

Yes, but since it is being investigated it would be a good start to contact him. I’ve edited my previous comment

Thanks @Ads20000
We’re on it, aware of the comments on OMG too.

As end user, I expect these things (maybe they are addressed from some other discussions, if so sorry):

• No internet access for snaps, and they have to ask permissions on first start - something like the modern Android security model. While it wouldn’t stop a miner, at least attackers cannot collect what they mined. Of course this would work for games (I don’t want to give Internet access to games), but not for other things.
• Check on license: why a snap that builds a public Github Repo shouldn’t have the same license?
• For FOSS projects, https://reproducible-builds.org/17
• Verified authors: there is an aws-cli package, the author is listed as aws on the store5, but the repo’s authors say12 its not theirs. While I trust @popey because I know him, so I believe it’s owned by AWS, as a random user I wouldn’t trust just a random comment on a Github repo and give my company’s AWS credentials to a snap with a doubtful ownership
• Easy to find link to the build log, if available (e.g LP)

FYI, this problem was discussed earlier, before it materialized:

We initially removed the snaps from the store, and subsequently re-published them without the crypto miner, so anyone with the snaps installed will get automatically get refreshed to a clean versions.

Looks like a verification system is being created:

a simple but fairly effective feature that we are working on is the ability to flag specific publishers as verified. The details of that will be announced soon, but the basic idea is that it’ll be easier for users to identify that the person or organization publishing the snap are who they claim to be.

And a few more things, nice to know!