No this isn't a joke, sadly. Canonical once again have an issue with scam apps appearing on the Snap Store, which is becoming a repeating problem. I wrote about this before in February, and again previously in October 2023 and here we go again.
After the last issue, Canonical seemed to be slowly moving on the subject, with discussions being opened on their Discourse forum to chat about implementing more checks. So they uh, might want to speed up actually checking on app publishers.
Alan Pope has a great blog post about the issue, talking about how another ten scam crypto wallet apps appeared from "digisafe00000". They were all removed, but uh, guess what? They're back again under a different publisher name this time it's "codeshield0x0000".
A weirdly named publisher putting up 10 crypto wallet apps? You know, if there was proper human review here, someone might have actually thought "hey this is a bit odd, maybe I should do a little digging first?".
Since they're on the Snap Store, they will also show up in the Ubuntu Software app, which is quite a problem.
Pope dives into one of the apps in the blog post, noting the create an account function (obviously) doesn't work, since they just want you to "log in" with your current wallet details so they can poach it. As Pope says "It’s trivially easy to publish scammy applications like this in the Canonical Snap Store, and for them to go unnoticed." and it seems it really is. So right now if you want to scam users on Ubuntu — just publish a Snap of something!
Really not a good look for Canonical and Ubuntu. They need to get moving on this repeating problem.
I thought the whole point of having a closed and official Canonical-controlled store was trust - you will be getting only legit apps approved by Canonical and not some wild west of community sources.
But since Canonical does no checks it's pointless.
Random user: Hey, this is PayPalV2.
Canonical: Welcome aboard! Don't reply, this was an automated message
Last edited by Brokatt on 19 March 2024 at 3:42 pm UTC
Quoting: kerossinOk, so what's the point of the Snap Store?Well, the original point of having a Snap store was to have containerized desktop apps on Linux desktop.
I thought the whole point of having a closed and official Canonical-controlled store was trust - you will be getting only legit apps approved by Canonical and not some wild west of community sources.
But since Canonical does no checks it's pointless.
Random user: Hey, this is PayPalV2.
Canonical: Welcome aboard! Don't reply, this was an automated message
Anyway, is this happening on Flathub too, or snap is just more discussed with this issue?
Into the future running an active firewall application (such as Safing Portmaster) might be an essential protective measure.
Check out Jack Rhysider's podcast talking to a real crypto scammer (and the various tricks that were implemented):
https://odysee.com/@jackrhysider:4/the-cops-had-no-idea-he-just-stole-1:a
What are they doing differently? Does Flathub detect malware early, and if so, where can I find statistics about this? Is the Snap Store that much more popular? Maybe so; they had over 2,000 snaps in 2019.
Snap deemed these apps "Safe" because they did not have any permissions, but that was provably false. Flathub also categorizes apps with no permissions and auditable code as "Safe": https://flathub.org/apps/io.github.kovzol.bibref
It should say "Probably Safe" at best. It's misleading. "Auditable source code" does not mean the source code has been audited. If it has been audited, it should say, "Audited source code".
Edit: I realized Flathub's statistics say 1.7 billion, not million.
Last edited by pleasereadthemanual on 20 March 2024 at 3:18 am UTC
1) They really should be manually reviewing at least new dev accounts. Checking not only every new app but every update to new app (easy enough to put something harmless and then push the malicious part as an update) is a lot of work, but if any rando can create an account and start publishing apps? That is bad
2) So much work put into containerization/sandboxing, and you just let anyone distribute apps that ask for people's logins. I mean, it is good that apps can't go steal your browser cookies or replace your bootloader, don't get me wrong. But looks like there was some easier, low-tech work (having people check apps for obvious red flags) that needed to be done anyway, and it was not.
3) They should ban absolutely all cryptocurrency apps regardless. First they are exceptionally high-risk, but also fuck ponzicoins.
4) The snap store is a (partial) move from a repository that Canonical actually maintains themselves (maybe badly, but they put the software there and could make all choices) to a store where they are just a middleman, and that lets devs keep control. It is obvious that for them it is less work and more profitable, and that it is attractive for proprietary apps... but this showcases exactly the kind of problem of this approach: you are getting blackbox software from a bunch of randos, not free software from a trusted distro.
Quoting: eldaking1) They really should be manually reviewing at least new dev accounts. Checking not only every new app but every update to new app (easy enough to put something harmless and then push the malicious part as an update) is a lot of work, but if any rando can create an account and start publishing apps? That is badCompletely agree. This is not something you're going to pick up easily except via manual review.
2) So much work put into containerization/sandboxing, and you just let anyone distribute apps that ask for people's logins. I mean, it is good that apps can't go steal your browser cookies or replace your bootloader, don't get me wrong. But looks like there was some easier, low-tech work (having people check apps for obvious red flags) that needed to be done anyway, and it was not.
Quoting: eldaking3) They should ban absolutely all cryptocurrency apps regardless. First they are exceptionally high-risk, but also fuck ponzicoins.Mark Shuttleworth already voted not to do that: https://www.gamingonlinux.com/2024/02/snap-store-from-canonical-ubuntu-hit-with-another-crypto-scam-app/
Also, Alan Pope's article mentions that someone lost 490k to one of these crypto scam apps.
Quoting: eldaking4) The snap store is a (partial) move from a repository that Canonical actually maintains themselves (maybe badly, but they put the software there and could make all choices) to a store where they are just a middleman, and that lets devs keep control. It is obvious that for them it is less work and more profitable, and that it is attractive for proprietary apps... but this showcases exactly the kind of problem of this approach: you are getting blackbox software from a bunch of randos, not free software from a trusted distro.This is probably an unpopular opinion, but I want proprietary software on Linux. If the Snap Store is the only way I can download Adobe After Effects, I'm completely willing to do that. The Snap Store and Flathub makes it easier for Adobe to target Linux should they ever change their mind about whether to support it in the next 15 years.
iOS doesn't have this problem on nearly the same scale despite how much more popular their app store is than the Snap Store. Yes, malicious apps have found their way onto the App Store over the past 15+ years, but only a small number of them and not regularly. Almost every app on iOS is proprietary. Yes, they have a lot more manpower to review the apps, but it shows it's possible to safely vet proprietary software.
Preventing this malware from getting on the Snap Store doesn't require analyzing the code. It requires a reviewer to realize this company is impersonating popular finance-related software they did not develop. What's that saying? "When you're wearing rose-tinted glasses, all the red flags just look like flags."
Last edited by pleasereadthemanual on 19 March 2024 at 1:22 pm UTC
See more from me