Snap malware

Axios

I ran across this (I dont use snaps) but was wondering if this could happen with flatpaks
as it seems on the road to be the dominate one.
Interesting reading.
https://blog.popey.com/2026/01/malware-purveyors-taking-over-published-snap-email-domains/

This is very interesting didnt even know anything like this existed
https://snapscope.popey.com/

Harvey

Probably.

brent

that first source lists three methods that the bad guys infect snaps. this is one of them:

"The scammers have tried various approaches to appear legitimate:
Initially, they just published authentic-looking applications with plausible screenshots and storefront pages. This was the approach I documented in my previous articles about the fake “Exodus” and “Ledger Live” apps.
Then, they started evading text filters by using similar-looking characters from other alphabets. For example, replacing the lowercase “d” in “Ledger” with the Armenian letter Zhe “ժ”, which at first glance passes for a Latin “d”. They also use Palochka “ӏ” which resembles a lowercase “L”.

More recently, they’ve adopted a bait-and-switch approach:

Register an innocuous, unrelated snap name like lemon-throw, alpha-hub, or tenor-freeze
Publish something harmless - often claiming to be a game
Wait for approval
Push a second revision containing the fake crypto wallet app

Some of us in the community diligently report these applications to Canonical, and after a period they get removed."

the other methods were "domain squatting" and some kind of ping thing.

Over the years I never hear nothing about Flatpaks but I think they can be vulnerable too and always have. Tell you the truth I'm been too scared to poke around (research it) 'flatpak/cve' because I have to trust a few just to operate every day...

second link was startling too. big cve registry there..

Original-Syn

Downside of the growth of Linux Desktop is more attention is paid by hackers.

My business is cyber and we deal a lot with high security clients, more on the regulation side. The ramp up of malware, primarily ransomware has been trending up at fast pace. Mostly in the lower end drive by targeting like this. In numerous instances, they simply use the payloads they built for Windows and setup a delivery method for Linux. Most of the time it does not even need root access since the target is your personal data and config files.

brent

Original-Syn The ramp up of malware, primarily ransomware has been trending up at fast pace.

they slipped a couple of poison apps into the AUR then that was DDOS'd for months near the end of last year. strange times.
I'd ask you what the end game is to the bad guys but I'm sure it's the same for decades of Win: control of sys, damage, hack, etc.

Original-Syn

brent Honestly money is a lot of it. Some of it just for fun, but these teams make a lot of money of ransomware. Personal information to steal identities is another big on sold on the darkweb.

Axios

Just to not be unfairly one sided on the subject
https://www.linuxjournal.com/content/when-flatpaks-sandbox-cracks-real-life-security-issues-beyond-ideal

Original-Syn

Axios Absolutely it can happen on any package type. Snap, Flatpak, and AppImage do not have quite as good of security protocols in place yet. Snap is actually ahead of the game in their workflow, but it is not well implemented from what I have seen yet. Flatpak has a proper guideline, but it is not enforced and those that do the checking are not who I would call qualified. AppImages is whatever anyone wants to throw in there as it is non-centralized.

brent

Axios

Original-Syn Flatpak has a proper guideline, but it is not enforced and those that do the checking are not who I would call qualified

the thing about flatpaks is sometimes they are maintained/created by the app dev/creator...and a lot of the time they are not.
I keep a good thought about flatpaks--which I rely on--til I hear the bad news.

the article (see last @axios link ^) referenced two 2025 CVEs (no apps) that had to do with building:
"CVE‑2024‑32462: RequestBackground Portal Abuse
Security researcher Gergo Koteles uncovered a high-severity vulnerability where malicious Flatpak apps could craft a .desktop file via the org.freedesktop.portal.Background.RequestBackground interface. That tricked Flatpak’s --command= parsing into injecting bwrap arguments (e.g. --bind)."
"CVE‑2024‑42472: Persistent Data Symlink Exploit
A Flatpak flag, --persist (or persistent= in manifest), allows apps writable storage within their data directory. But if a malicious install replaces that directory with a symlink pointing to sensitive host folders (e.g. ~/.ssh), the sandbox mount entry follows it into the real filesystem, giving the app unintended access to files outside its name-spaced area. "

makes me happy when this stuff is vigilantly looked at by the good guys.

Axios

I decide to do flatpak inventory Had 17 flatpaks installed. (On Plasma)
12 of those verfied
5 not verified (I guess take this with a grain of salt)
So I feel comfortable with that as the 5 are somewhat mainstream apps

Original-Syn

Axios Even the non-verified go through review. While not as good as being an officially published app, it does get checked and scanned.

Axios

Original-Syn Ah thats good to know.