Wednesday, 23 May 2018

Ubuntu Snap Store app contained cryptocurrency miner, showing open source doesn't equal safe

There was a recent discovery that an app called "2048buntu" in the Ubuntu Snap Store contained cryptocurrency (Bytecoin) mining code.
Thankfully, this app -- and the developer's other submissions -- have since been removed. Yeah, it's annoying that the developer chose to add this code, but is it really a malicious thing? I mean, since the app is open source, this mining code was technically not hidden, right? After all, the open nature is how it was discovered.

What is the downside to having this cryptocurrency code commingled with the expected code? Well, the mining can slow down your computer while also increasing your electricity use. So yes, it can have a negative impact on your machine's performance and cost you money. With that said, it doesn't steal any information or open any backdoors. Calling it malware could be an exaggeration then.

Look, I am not defending this behavior. Quite frankly, I find it unethical to have software that performs a function unknown to the user. But it was not hidden. This fiasco highlights that just because something is open source, doesn't mean it is safe. Not every Linux user knows how to read code -- many are just using their computer as a tool (including me). For them, malicious code can be hiding in plain sight -- it might as well be written in Chinese.

So what is the takeaway here? The Ubuntu Snap Store team has to do a better job vetting and checking software that enters the store -- it cannot be the wild west. Code must be reviewed. In this case, the impact was minor, but it's only a matter of time before someone tries to sneak in something more nefarious than mining. Snaps still have a bright future, and open source remains a great thing, but it is obviously time to be more vigilant.

Legal disclaimer: The insight, recommendations and analysis presented here are based on corporate filings, current events, interviews, corporate press releases, and what we've learned as financial journalists. They are presented for the purposes of general information only, and all the information belongs to the original publishers. These may contain errors and we make no promises as to the accuracy or usefulness of the information we present. You should not make any investment decision based solely on what you read here.

Creamcoin Marketcap