Chrysalis Backdoor and TOFU

0xC0DED0D0

This is highly relevant to GrapheneOS and third party application use, but I've chosen the "Off Topic" tag as it really relates to a broader discussion on threat models and application updates — regardless of OS.

Quick background: the native update system for Notepad++ (Windows) was recently compromised by what appears to be state-affiliated (CN/CCP) threat actors.

By utilizing vulnerabilities at the hosting provider, malware was placed on targeted users' machines.

https://notepad-plus-plus.org/news/hijacked-incident-info-update/

Full details, along with IoCs, here: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

Quite an extraordinary attack, and there's legitimate debate as to how much blame can be deflected to the hosting provider and how much responsibility the Notepad++ developers bear themselves here.

But the overarching question should really be about the TOFU (Trust On First Use) model itself. Here, users can bear no responsibility as they've done everything right.

Nothing would seem to indicate reasons to worry about the installation, use, and subsequent updates of Notepad++, at reasonable levels of user/admin scrutiny and due diligence. The problem only arrives much later, within ongoing usage of the software.

What should it mean for native application update mechanisms in general? Might the incident highlight and accelerate the need for trusted update stores (Accrescent, Zappstore, etc), along with their development?

How might developers assert their trustworthiness post-Notepad++ incident?

And how should security conscious users act in relation to the TOFU model in their favourite software from now on?

Discussions on Notepad++'s pros and cons, their (in)famous political stances, and other specifics regarding the relevant software itself might be too off-topic for this Off Topic...

Watermelon

0xC0DED0D0 How Android/GrapheneOS protects against this kind of attack:

Sandboxing: first of all, this attack isn't so scary when you realize that the compromised app is sandboxed and follows only the minimal permissions you grant it. Even if one app from one developer is so incompetently written or contains outright malicious code from the start, this isn't as scary.
Certificate pinning: as was said, APK updates have to be signed by the same certificate as the installed APK in order to be accepted by the OS, even if the install unknown apps permission is granted. This is enforced by the OS on all apps. In this case, it seems like the Notepad++ updater was written without verifying the developer's signature on the downloaded file, instead trusting the server to not be compromised on every update check. Google Play harms this security feature by requiring apps to disclose their private signing key (the private counterpart to the public certificate included in the APK) to Google, which makes any compromise of Google Play's signing servers, any rogue Google employee with the right access, and any government who legally coerces Google to comply, to be able to deliver a properly signed rogue update without consent from the app developer.
App store review: if you installed the app through an app store, the app store's moderators check the app and any newly requested permissions, and there's a user reviews section that you can check to see what they say about the newer versions. This is optional on Android, because you can freely choose if you want to get an app from an app store (and which app store) or from any other source (like a website). Certificate pinning is always enabled, regardless of source.
GrapheneOS only: you can block dynamic code loading for the app. If the app tries to download a file, and the file is malicious and is tried to be run, this will be blocked depending on whether you enabled GrapheneOS's dynamic code loading restrictions on the app. Regardless, any such file would still run within the app's sandbox rather than having full access to your device. APK files are not executable files, so downloading and trying to install them is still permitted, but subject to the certificate pinning check by the OS.

NoahRaketic

The issue is, this is not TOFU, this is trust on every use. The compromised packages were served through in-app updates.

If you're on Android in the first place, this attack is mitigated due to certificate pinning. I would say in general, though, apps should not be responsible for updating themselves, since as this case shows, not everyone will be able to implement that competently.

It says more about the desktop security model in general than anything. Such an attack on Android doesn't work due to sandboxing and improved update security mechanisms.