10 March 2022 / Last updated: 10 Mar 2022

Beware of false, harmful software claiming to be balenaEtcher

It has come to our attention that there is a false and harmful version of our software, balenaEtcher, being promoted online. This post is an examination of the discovery, and a reminder to only download balenaEtcher from our official sources: the balena.io website, or GitHub repository.

What happened?

We recently discovered that there is a quite convincing copy of the balenaEtcher website at confusing balena-etcher-io.com (we are not linking to this website to discourage cross links and access there). This false source of balenaEtcher has been spread across the internet with Google Search Ads and even showing up on Discord communities.
On the surface, it looks like an official source or website. However, this unofficial website includes a hacked version of balenaEtcher that contains malware, and unsuspecting users were downloading and installing it onto their computers. Based on that domain and website, we can see how it would be confusing for users who simply wanted a way to flash their USB stick or SD Card.

What actions does balena take when this happens?

When we receive reports of these clones, unofficial sources, or otherwise confusing sites spreading malware, we immediately reach out to the domain and hosting companies asking for the sites to be taken down. Sometimes this works, as most providers have a process in place to deal with these requests. If this doesn’t work, we escalate into legal action, referring to our lawyers in order to process legal requests to enforce the takedown.
Balena owns the Etcher trademark and we take end user security and usability of our product seriously. We are currently undertaking actions to remove this harmful malware and misuse of our intellectual property.

NOTE: balenaEtcher lives on balena.io/etcher

If you click the download link on the http://balena.io/etcher website, or go to https://github.com/balena-io/etcher and click the latest release there, you get the official “balena built” version of balenaEtcher. Either of those sources will provide you with the same files, built from official sources and ready for installation on your machine.
This is our official balenaEtcher site under the balena.io domain
For Linux users, we also produce a native .deb or .rpm installation option, and pulling in that version via your package manager will result in grabbing the install package from Cloudsmith, as is mentioned in the readme (thanks Cloudsmith!).

Other open source versions of balenaEtcher

Recently, we saw a need for versions of balenaEtcher that cover a greater variety of target architectures and operating systems that we cannot produce. However, the power of the open source community has stepped up and taken on this task, and some of our community members are now contributing builds of balenaEtcher in these variants. For community members willing to produce these artifacts, we are listing them in a Github Issue located here.

What to do if you think you have found a fake version of balenaEtcher

If you happen to come across a site that is seemingly trying to replicate the official balenaEtcher website, or could be perceived as confusing for users, get in touch with us! Simply send us a note to [email protected], and we can take it from there.
We recognize that there are some legitimate websites that aggregate common utilities and offer links to proper and official downloads. However, if a website is trying to pose as a single, standalone balenaEtcher download site that isn’t the balena domain or our GitHub repo, it’s probably not a legitimate source and we’d like to know about it.
As always, if you have any thoughts, ideas, or suggestions, just let us know in the comments, on social media, or send us an email! And remember, only download balenaEtcher from official sources!
by Péter MakraProduct Builder