An A new and sophisticated wave of attacks is compromising trust in the Snap Store from Canonical, because a few days ago, Alan Pope (former Engineering and Community Manager of the company), revealed a new attack technique that differs from traditional malware distribution methods.
Now, attackers are no longer content with creating fake applications; they are hijacking legitimate developer accounts by taking advantage of the expiration of their email domains.
The evolution of the attack: From deception to total impersonation
Within of the most common attacks that were commonly seen within Linux, the attackers employed techniques such as typosquatting, logging package names very similar to those of popular applications, or they would release new software hoping that some unsuspecting user would install it. In response, Canonical and various software distributors responded To counter these threats, manual checks were implemented for new package names, making it more difficult for malware to enter through these traditional channels. However, the new strategy detected by Pope completely bypasses these filters by exploiting the reputation of already established accounts.
The modus operandi is as simple as it is devastating, because the attackers They track the store in search for abandoned applications or developers who have let their domains expire internet sites associated with their registration emails (for example, admin@forgottenproject.com). Once a target is identified, They buy the expired domain and reactivate the email address. electronically and request a password reset in the Snap Store. gain access to the accountThey encounter a profile that the system considers trustworthy, without the restrictions or warning labels that apply to new users.
The target: Cryptocurrency wallets and sensitive data
Once the attackers take control of the account, They release malicious updates for existing applicationsSince the software was already published and approved, these updates often go unnoticed by automatic security filters. The main objective of these campaigns appears to be the theft of cryptocurrencies. Pope has documented how these modified applications, which often masquerade as wallets like Exodus or Ledger Live, request users' recovery phrases and send the credentials to servers controlled by the attackers, emptying victims' accounts in a matter of minutes.
During his research with SnapScope, a tool he originally developed to audit the security of Snap packages, Pope discovered that many of these malicious applications communicate with Telegram bots to exfiltrate stolen data.By analyzing the network traffic of these packets, he was able to identify specific chat identifiers and usernames, confirming that there is an organized operation behind these incidents, possibly operating from Eastern Europe.
This attack vector exposes a critical vulnerability in identity management within software repositories. Unlike a direct attack on Canonical's servers, this is an attack on the identity supply chain. Pope identified specific domains that were acquired by attackers for the sole purpose of hijacking accounts.
The problem It's not exclusive to the Snap Store; Last year, the package index Python (PyPI) faced an identical crisis and had to preemptively block more than 1800 email addresses linked to expired domains. The security community is urging Canonical to implement similar measures, such as continuous verification of email domain validity or mandatory two-factor authentication (2FA) for all publishers, which would prevent simple email control from being enough to hijack an account.
For end users, The recommendation is clear but uncomfortable, since blind trust in the app store is no longer safe.This is especially true when it comes to financial software or cryptocurrencies. The longevity of a developer account is no longer a guarantee of security, and it's advisable to download these types of critical applications directly from the official vendor websites rather than relying on system package managers until stricter controls are implemented.
Source: https://blog.popey.com