Every article tag can be clicked to get a list of all articles in that category. Every article tag also has an RSS feed! You can customize an RSS feed too!
We do often include affiliate links to earn us some pennies. See more here.

No this isn't a joke, sadly. Canonical once again have an issue with scam apps appearing on the Snap Store, which is becoming a repeating problem. I wrote about this before in February, and again previously in October 2023 and here we go again.

After the last issue, Canonical seemed to be slowly moving on the subject, with discussions being opened on their Discourse forum to chat about implementing more checks. So they uh, might want to speed up actually checking on app publishers.

Alan Pope has a great blog post about the issue, talking about how another ten scam crypto wallet apps appeared from "digisafe00000". They were all removed, but uh, guess what? They're back again under a different publisher name this time it's "codeshield0x0000".

A weirdly named publisher putting up 10 crypto wallet apps? You know, if there was proper human review here, someone might have actually thought "hey this is a bit odd, maybe I should do a little digging first?".

Since they're on the Snap Store, they will also show up in the Ubuntu Software app, which is quite a problem.

Pope dives into one of the apps in the blog post, noting the create an account function (obviously) doesn't work, since they just want you to "log in" with your current wallet details so they can poach it. As Pope says "It’s trivially easy to publish scammy applications like this in the Canonical Snap Store, and for them to go unnoticed." and it seems it really is. So right now if you want to scam users on Ubuntu — just publish a Snap of something!

Really not a good look for Canonical and Ubuntu. They need to get moving on this repeating problem.

Article taken from GamingOnLinux.com.
30 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
20 comments
Page: «2/2
  Go to:

Quoting: eldaking1) They really should be manually reviewing at least new dev accounts. Checking not only every new app but every update to new app (easy enough to put something harmless and then push the malicious part as an update) is a lot of work, but if any rando can create an account and start publishing apps? That is bad
2) So much work put into containerization/sandboxing, and you just let anyone distribute apps that ask for people's logins. I mean, it is good that apps can't go steal your browser cookies or replace your bootloader, don't get me wrong. But looks like there was some easier, low-tech work (having people check apps for obvious red flags) that needed to be done anyway, and it was not.
Completely agree. This is not something you're going to pick up easily except via manual review.

Quoting: eldaking3) They should ban absolutely all cryptocurrency apps regardless. First they are exceptionally high-risk, but also fuck ponzicoins.
Mark Shuttleworth already voted not to do that: https://www.gamingonlinux.com/2024/02/snap-store-from-canonical-ubuntu-hit-with-another-crypto-scam-app/

Also, Alan Pope's article mentions that someone lost 490k to one of these crypto scam apps.

Quoting: eldaking4) The snap store is a (partial) move from a repository that Canonical actually maintains themselves (maybe badly, but they put the software there and could make all choices) to a store where they are just a middleman, and that lets devs keep control. It is obvious that for them it is less work and more profitable, and that it is attractive for proprietary apps... but this showcases exactly the kind of problem of this approach: you are getting blackbox software from a bunch of randos, not free software from a trusted distro.
This is probably an unpopular opinion, but I want proprietary software on Linux. If the Snap Store is the only way I can download Adobe After Effects, I'm completely willing to do that. The Snap Store and Flathub makes it easier for Adobe to target Linux should they ever change their mind about whether to support it in the next 15 years.

iOS doesn't have this problem on nearly the same scale despite how much more popular their app store is than the Snap Store. Yes, malicious apps have found their way onto the App Store over the past 15+ years, but only a small number of them and not regularly. Almost every app on iOS is proprietary. Yes, they have a lot more manpower to review the apps, but it shows it's possible to safely vet proprietary software.

Preventing this malware from getting on the Snap Store doesn't require analyzing the code. It requires a reviewer to realize this company is impersonating popular finance-related software they did not develop. What's that saying? "When you're wearing rose-tinted glasses, all the red flags just look like flags."


Last edited by pleasereadthemanual on 19 March 2024 at 1:22 pm UTC
kerossin Mar 19
Quoting: Boldos
Quoting: kerossinOk, so what's the point of the Snap Store?

I thought the whole point of having a closed and official Canonical-controlled store was trust - you will be getting only legit apps approved by Canonical and not some wild west of community sources.

But since Canonical does no checks it's pointless.

Random user: Hey, this is PayPalV2.
Canonical: Welcome aboard! Don't reply, this was an automated message
Well, the original point of having a Snap store was to have containerized desktop apps on Linux desktop.

Anyway, is this happening on Flathub too, or snap is just more discussed with this issue?

I think you're conflating Snaps themselves and the Snap Store.

I'm not talking about the actual packaging of apps, I'm talking about the place where you get them.

Canonical chose to keep the store itself proprietary and not have the stores configurable in their implementation of snapd.
Linux_Rocks Mar 19
nenoro Mar 19
is jaxxliberty a NSFW app with lot of scams from africa and singapore ?
Brokatt Mar 19
View PC info
  • Supporter
Quoting: NathanaelKStottlemyer
Quoting: BrokattPopeye is such a great guy. Even though he's left Canonical behind, he's still involved with Ubuntu and Snaps.

Popeye?

Sorry I meant popey ofc :) Alan "popey" Pope used to host the Ubuntu Podcast among a lot of things. A pretty prominent figure in the Ubuntu community and just a lovely nerd.


Last edited by Brokatt on 19 March 2024 at 3:43 pm UTC
WYW Mar 19
They should require that the official project website links to the snap store package to verify that it's from them. Then they can at least do a basic automated verification process.

For hobby repackagers, like the people who wrap old games, just have a big fat "Unverified Publisher, Confined but Potentially Unsafe, Guard your Personal Information" badge.
wvstolzing Mar 19
I have a profoundly insightful contribution to make to the discussion:

I think something like 'Who’s at the door? ... Canonicals snap store' would rhyme better.
eldaking Mar 20
Quoting: pleasereadthemanualThis is probably an unpopular opinion, but I want proprietary software on Linux. If the Snap Store is the only way I can download Adobe After Effects, I'm completely willing to do that. The Snap Store and Flathub makes it easier for Adobe to target Linux should they ever change their mind about whether to support it in the next 15 years.

iOS doesn't have this problem on nearly the same scale despite how much more popular their app store is than the Snap Store. Yes, malicious apps have found their way onto the App Store over the past 15+ years, but only a small number of them and not regularly. Almost every app on iOS is proprietary. Yes, they have a lot more manpower to review the apps, but it shows it's possible to safely vet proprietary software.

Preventing this malware from getting on the Snap Store doesn't require analyzing the code. It requires a reviewer to realize this company is impersonating popular finance-related software they did not develop. What's that saying? "When you're wearing rose-tinted glasses, all the red flags just look like flags."

Nah I agree and I think most people would - most games are proprietary, and we aren't just giving up those, plus a lot of other apps including some we might need for work (so not even a choice).

I'm just saying that the model preferred by proprietary apps - a store that sells pre-packaged, ready-to-run software - has this drawback, moving trust from "the people that make your OS" into "a million devs that it is hard to hold accountable". It isn't even about having access to source code to audit it, just about the hands-off approach, about the implicit expectations of developers in each case, etc.
Quoting: eldaking
Quoting: pleasereadthemanualThis is probably an unpopular opinion, but I want proprietary software on Linux. If the Snap Store is the only way I can download Adobe After Effects, I'm completely willing to do that. The Snap Store and Flathub makes it easier for Adobe to target Linux should they ever change their mind about whether to support it in the next 15 years.

iOS doesn't have this problem on nearly the same scale despite how much more popular their app store is than the Snap Store. Yes, malicious apps have found their way onto the App Store over the past 15+ years, but only a small number of them and not regularly. Almost every app on iOS is proprietary. Yes, they have a lot more manpower to review the apps, but it shows it's possible to safely vet proprietary software.

Preventing this malware from getting on the Snap Store doesn't require analyzing the code. It requires a reviewer to realize this company is impersonating popular finance-related software they did not develop. What's that saying? "When you're wearing rose-tinted glasses, all the red flags just look like flags."

Nah I agree and I think most people would - most games are proprietary, and we aren't just giving up those, plus a lot of other apps including some we might need for work (so not even a choice).

I'm just saying that the model preferred by proprietary apps - a store that sells pre-packaged, ready-to-run software - has this drawback, moving trust from "the people that make your OS" into "a million devs that it is hard to hold accountable". It isn't even about having access to source code to audit it, just about the hands-off approach, about the implicit expectations of developers in each case, etc.
You're right. The "pull" model distros use is necessarily more secure than the "push" model stores like Snap and Google Play use. Unfortunately, I also think it's the right model. It's not perfect, but you can definitely do a much better job than Canonical at policing your store. Even Debian can't package all the software you want or need. It's the main reason I run Arch Linux—it's very easy to get software I want up and running through an AUR PKGBUILD someone has written.

Even Flatpak/Snap isn't for everybody; Blackmagic Design thinks their DaVinci Resolve software is too complex to be packaged that way. I can't imagine what Adobe would think if they entertained the idea.

Installing the software you want on Linux should not be this hard. I think the Snap and Flathub idea is the right way to go. Flathub seems to have a lot more moderation, and they're tightening up moderation even though they have had no malware reports thus far.

I realize now that Flathub has actually hit 1.7 billion downloads, not million. It might be more popular than the Snap Store now. It still has fewer apps, though.


Last edited by pleasereadthemanual on 20 March 2024 at 4:39 am UTC
hardpenguin Mar 21
Knock knock. Who's there? Snap. Snap who? Oh snap I got scammed again.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register


Or login with...
Sign in with Steam Sign in with Google
Social logins require cookies to stay logged in.