Snapstore Malware

So, I stumbled onto an article about malware found on the Snapstore created by a developer and then I saw that apps now have a check mark or a start beside the application.

Since this article was from 2018, I assume this is no longer an issue? I didn’t know that pretty much anyone could upload software to the Snapstore.

1 Like

Take any article from five years ago with a grain of salt. A lot more measures have been put into place, but I’m sure others will answer this to put your mind at ease. Also remember, blogs and media like to over-sensationalize to drive those clicks. So even though it did exist, it was found rather quickly and taken care of.

With that, let’s not be alarmist and think this can still happen. I am, however, going to defer to the experts on this.


The most recent publicized case of concern around software in the Snap Store was a couple of months ago:

Although the implementations are very different, it might also be interesting to read about some of the dialogue surrounding security concerns for Flatpak, just for perspective on the whole topic of sandboxed apps:

1 Like

Been trying to get this Snap package removed for 3 years now almost… "git-repo" package is broken and causing issues - store -

Though it’s not malware, it is completely broken and causing issues.

I’m curious, what kind of policy would you think is fair for outdated snap packages?

Note that this isn’t a random person publishing a random application. This is the application developer themselves that published the app. Yes it appears broken but does that give Canonical the right to remove the application from the store without the app developer’s consent? I’m not taking any sides here, I’m just giving some context for why there isn’t an immediately obvious correct solution to this problem.

So what would you propose? At what point is Canonical allowed to modify/remove a snap without the owner’s consent, and how would such a process go?


If the snap is broken, at the very least the snap should be hidden by default (on snapcraft and the OS app store) but still installable through the terminal.

1 Like

@ernstp, @merlijn-sebrechts, @that_leaflet

Let’s keep this conversation on-topic. This wasn’t about broken or outdated snaps, but about malware in snaps. If you want to talk about outdated snaps, please start a new topic. :slight_smile:


I was trying to give an example showing that issues with problematic snaps were not handled well.

I have directly messaged the publisher of the snap, to ask if they could either make it private or hand it over to someone else to maintain.

I don’t see how this is any different than contacting someone about a broken deb or aur package. A friendly mail / message to the publisher is likely the best way in all circumstances.


It’s broken, it’s useless and the developer didn’t take care of. So, the maintainer of the store should have the right to step in when such a case appears. Depending on an application, a broken app can have “malicious” consequences as well. Even if not intentionally.

The store can notify the developer of course, given that the dev has valid contact details. That is also enough. The approach does not have to be different from any other app store and it needs to be strict enough to be trusted. Be strict, be clean!


I have had the snap shared with me. I’ll make it unlisted, and then figure out what we do with it next.

So, in my mind, the solution to these kinds of issues is, as always, a matter of communication.