Stop the line?

store-requests
1

All these are scam apps.

Everything by this publisher

https://snapcraft.io/publisher/codeshield0x0000

Time to stop uploads and rethink this whole strategy? Please?

9 Likes
2

Yes, there is a big team currently working full time trying to defeat the incoming flood of (obviously created by automated scripts) masses of these phishing scam apps … while on the side trying to change policies and code of the store to avoid the issue altogether … it will take a bit of time since many resources are being bound by that flooding …

1 Like
3

Yeah, I figured that. Hence “Stop the line?”

4

For what it’s worth, I spoke to Hostinger abuse, with the wireshark and my blog. They’ve suspended the account as of ~25 minutes ago. I confirmed the snaps which were published today, which use the same backend host, are now functionally crippled.

3 Likes
6

Thanks @popey - FWIW these were quarantined 2 hours after your post via the new process of the snap store team reviewing newly registered snap names multiple times each day. So the store team does have a process for identifying and blocking such malicious content but the process does have a small window where snaps are visible for a period before they can be reviewed. @holly is working on changes to this process to allow more proactive actions to be taken and hopefully we can get this rolled out soon.

Thanks for your ongoing attention to this area and for neutralizing this threat via the backend hosting provider (which appears to have occurred at the same time as these snaps were quarantined from the store).

2 Likes
7

Good job @popey .

Registration and publication mechanisms should be strengthened. It wouldn’t be bad to send codes in PM (not notifiable by email) for the snaps in the publication phase.

8

Ok, but still, that gap does need to be closed somehow.

They’re back again, taking advantage.

snap find wallet | grep bitguard
polygon-stable-89371         4.5.2                          bitguard0x000         -      Polygon Wallet is now on Snap!
uniswap30669                 5.5.0                          bitguard0x000         -      Uniswap is the wallet built for swapping.
tronlink-build44302          2.0.1                          bitguard0x000         -      Tronlink Wallet just arrived on Snap!
electrum-build93727          7.3.2                          bitguard0x000         -      Lightweight Bitcoin Client
metamask-stable-79370        1.7.6                          bitguard0x000         -      Metamask is now on Snap!
jaxx-liberty-build-9165      8.7.3                          bitguard0x000         -      Jaxx in now on Snap!
trustwallet-stable-28021     4.4.8                          bitguard0x000         -      Trustwallet is now on Snap!
avalanche-latest-54899       2.5.1                          bitguard0x000         -      Avalanche Desktop Wallet
exodus-latest36902           3.3.7                          bitguard0x000         -      Secure, Manage, and Swap all your favorite assets.
ledger-latest8446            4.3.5                          bitguard0x000         -      Ledger Live is now on Snap!

They have a new Hostinger IP, which I’ve reported to their abuse department.

2 Likes
9

As a normal, everyday user, these occurrences are eroding enough of my trust that I will have to do the same amount of research when installing something from the snap store as I would from the open internet to ensure that I’m installing something that looks and feels safe. Which kind of defeats the purpose of a centralized store. I doubt I’m alone - something needs to be done and it needs to be communicated to users.

4 Likes
10

well, currently you can trust the team that is simply reviewing every single upload and quarantining the snap if one of these phishing ones is found (which is what i described above, it is a horrid manual workload but this has been put in place so you can keep your trust in the store, malicious snaps are identified and immediately replaced with empty ones as well so end-users will not fall for the phishing attempt)…

as soon as a programmatic way is ready (perhaps by stopping the line as popey asked above, this is in the hand of the store team that currently works 24h to get this sorted) you will definitely get an announcement with a description of the issues as well as the actions that resulted from this …

2 Likes
11

That may be an aspiration, but it’s not quite what happens, due to the time delta in discovery and action being taken

  1. Developer upload
  2. Developer publish

(Possible user download)

  1. User report (or Canonical Discovery)
  2. Quarantine / removal

The bit between 2) and 3) can and has been days. The bit between 3) and 4) can be hours.

So I’d be very careful of the use of “immediately” in any communication here. It’s been ~1.5 hours since I reported electrum-build93727 and while we’re discussing it, that snap is still publicly downloadable.

snap download electrum-build93727
Fetching snap "electrum-build93727"
Fetching assertions for "electrum-build93727"
Install the snap with:
   snap ack electrum-build93727_1.assert
   snap install electrum-build93727_1.snap

And contains malware, it’s not empty.

 unsquashfs -q electrum-build93727_1.snap 
[=================================================================|] 32/32 100%
ls -l squashfs-root/bin
total 1400
-rwxr-xr-x 1 alan alan 1431872 Mar 19 19:13 electrum-bin

Look, I get that you guys are scrabbling around to fix this, and #hugops and all that. But there’s a reason I suggested “Stop the line”. The team is clearly not resourced to deal with the firehose.

Take a step back, close the door, focus on fixing the review process, and let’s not have days of dodgy uploads?

3 Likes
12

yeah, i should indeed have said “as fast as possible” …

4 Likes
13

I would support a stop-the-line mode until we come up with something new.

I would allow existing snaps to be updated, but any new accounts and new snaps should be quarantined until we come up with something practical.

4 Likes
14

Sorry for the noise, but I think I’ve been victim of this massive “blocking”. My app was not even in the stable channel (therefore required the --beta flag) and was still in --dev-mode, so not public at all (and I dont plan to make it public until I have a not-just-console UI style). Can you please restore my account? Here my post: Suspended account (and app name) after I managed to successfully publish it? Thanks

15

image
image1169×567 83.8 KB

$ snap download ledger-latest83597
Fetching snap "ledger-latest83597"
Fetching assertions for "ledger-latest83597"
Install the snap with:
   snap ack ledger-latest83597_1.assert
   snap install ledger-latest83597_1.snap
1 Like
16
2 Likes
18

This isn’t live yet, is it?

snap find wallet | grep protectumcompany
avalanche-build24619         7.5.0                  protectumcompany      -      Avalanche Desktop Wallet
polygon-build-63338          2.7.9                  protectumcompany      -      Polygon Wallet is now on Snap!
exodus-stable11208           4.6.5                  protectumcompany      -      Secure, Manage, and Swap all your favorite assets.
uniswap-build2277            9.2.7                  protectumcompany      -      Uniswap is the wallet built for swapping.
ledger-build9571             7.1.9                  protectumcompany      -      Ledger Live is now on Snap!
electrum12451                5.8.4                  protectumcompany      -      Lightweight Bitcoin Client
metamask-stable-87805        2.9.1                  protectumcompany      -      Metamask is now on Snap!
trustwallet-67292            3.4.4                  protectumcompany      -      Trustwallet is now on Snap!
tronlink-latest13040         5.5.3                  protectumcompany      -      Tronlink Wallet just arrived on Snap!
jaxx-liberty-latest53650     8.6.8                  protectumcompany      -      Jaxx in now on Snap!

These were uploaded yesterday, and are still available now.

19

To be honest, when I read something like this, I obviously don’t expect that these malicious images will reappear and be available more than 23 hours after they were published under a different name.

The “pattern” of such malware is similar - for example, there is a hyphen in the name, and then comes “latest”, “stable”, etc., then some numbers, snaps have only one channel, applications are almost the same. It seems unlikely that once manual scanning of every image has been announced, viruses of this kind will ever again be missed.

And even if we assume that these particular instances became available before the establishment of new temporary rules on manual verification, even with a quick inspection these “patterns” are clearly visible, which, it seems, should arouse suspicion, especially after the recent manual removal of such…

As proof, I am attaching a screenshot where the malicious image downloaded just a few minutes ago is not empty, it is available for download, it starts and works for almost 24 hours. I really hope that at least the provider to whose servers is sending confidencial information responded faster.

Screenshot

Снимок экрана от 2024-03-23 22-04-56
Снимок экрана от 2024-03-23 22-04-561920×1168 72.2 KB

20

I have used wireshark in a vm on multiple occasions, and reported it to the provider who have killed the account. But it’s likely just as easy for them to spin up another one. I decided to stop doing it because it felt like I was doing ‘my part’ and that wasn’t being reciprocated on the Canonical side. While I get that they have a ton of people working on important stuff to mitigate the problem, it’s clearly not working

The ones I reported 4 hours ago are still there, as you noticed.

2 Likes