We do often include affiliate links to earn us some pennies. See more here.

No this isn't a joke, sadly. Canonical once again have an issue with scam apps appearing on the Snap Store, which is becoming a repeating problem. I wrote about this before in February, and again previously in October 2023 and here we go again.

After the last issue, Canonical seemed to be slowly moving on the subject, with discussions being opened on their Discourse forum to chat about implementing more checks. So they uh, might want to speed up actually checking on app publishers.

Alan Pope has a great blog post about the issue, talking about how another ten scam crypto wallet apps appeared from "digisafe00000". They were all removed, but uh, guess what? They're back again under a different publisher name this time it's "codeshield0x0000".

A weirdly named publisher putting up 10 crypto wallet apps? You know, if there was proper human review here, someone might have actually thought "hey this is a bit odd, maybe I should do a little digging first?".

Since they're on the Snap Store, they will also show up in the Ubuntu Software app, which is quite a problem.

Pope dives into one of the apps in the blog post, noting the create an account function (obviously) doesn't work, since they just want you to "log in" with your current wallet details so they can poach it. As Pope says "It’s trivially easy to publish scammy applications like this in the Canonical Snap Store, and for them to go unnoticed." and it seems it really is. So right now if you want to scam users on Ubuntu — just publish a Snap of something!

Really not a good look for Canonical and Ubuntu. They need to get moving on this repeating problem.

Article taken from GamingOnLinux.com.
30 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can also follow my personal adventures on Bluesky.
See more from me
All posts need to follow our rules. For users logged in: please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Guest readers can email us for any issues.
19 comments

kerossin Mar 19
Ok, so what's the point of the Snap Store?

I thought the whole point of having a closed and official Canonical-controlled store was trust - you will be getting only legit apps approved by Canonical and not some wild west of community sources.

But since Canonical does no checks it's pointless.

Random user: Hey, this is PayPalV2.
Canonical: Welcome aboard! Don't reply, this was an automated message
Brokatt Mar 19
View PC info
  • Supporter
Popeye Popey is such a great guy. Even though he's left Canonical behind, he's still involved with Ubuntu and Snaps.


Last edited by Brokatt on 19 March 2024 at 3:42 pm UTC
Boldos Mar 19
View PC info
  • Supporter
Ok, so what's the point of the Snap Store?

I thought the whole point of having a closed and official Canonical-controlled store was trust - you will be getting only legit apps approved by Canonical and not some wild west of community sources.

But since Canonical does no checks it's pointless.

Random user: Hey, this is PayPalV2.
Canonical: Welcome aboard! Don't reply, this was an automated message
Well, the original point of having a Snap store was to have containerized desktop apps on Linux desktop.

Anyway, is this happening on Flathub too, or snap is just more discussed with this issue?
g000h Mar 19
Yes, it is pretty serious to consider that the whole software landscape is in danger of threats like this. I imagine this attack vector is partly a result of Linux's growing desktop market share, where there are more inexperienced users nowadays, who are easier to trick with malware exploits.

Into the future running an active firewall application (such as Safing Portmaster) might be an essential protective measure.

Check out Jack Rhysider's podcast talking to a real crypto scammer (and the various tricks that were implemented):
https://odysee.com/@jackrhysider:4/the-cops-had-no-idea-he-just-stole-1:a
robvv Mar 19
Blimey. I think I'll just stick with my distro's repositories which are at least curated!
How is it that despite Flathub hosting over 2,500 packages and being responsible for over 1.7 billion downloads over the past 6 years, I have not seen a single reported case of malware, but the Snap Store has had three incidents in the past 5 months?

What are they doing differently? Does Flathub detect malware early, and if so, where can I find statistics about this? Is the Snap Store that much more popular? Maybe so; they had over 2,000 snaps in 2019.

Snap deemed these apps "Safe" because they did not have any permissions, but that was provably false. Flathub also categorizes apps with no permissions and auditable code as "Safe": https://flathub.org/apps/io.github.kovzol.bibref

It should say "Probably Safe" at best. It's misleading. "Auditable source code" does not mean the source code has been audited. If it has been audited, it should say, "Audited source code".

Edit: I realized Flathub's statistics say 1.7 billion, not million.


Last edited by pleasereadthemanual on 20 March 2024 at 3:18 am UTC
LINUX-SAUNA Mar 19
Would be good to sort these issues out before next month's Ubuntu 24.04 LTS
eldaking Mar 19
I have a bunch of loose thoughts about this.

1) They really should be manually reviewing at least new dev accounts. Checking not only every new app but every update to new app (easy enough to put something harmless and then push the malicious part as an update) is a lot of work, but if any rando can create an account and start publishing apps? That is bad
2) So much work put into containerization/sandboxing, and you just let anyone distribute apps that ask for people's logins. I mean, it is good that apps can't go steal your browser cookies or replace your bootloader, don't get me wrong. But looks like there was some easier, low-tech work (having people check apps for obvious red flags) that needed to be done anyway, and it was not.
3) They should ban absolutely all cryptocurrency apps regardless. First they are exceptionally high-risk, but also fuck ponzicoins.
4) The snap store is a (partial) move from a repository that Canonical actually maintains themselves (maybe badly, but they put the software there and could make all choices) to a store where they are just a middleman, and that lets devs keep control. It is obvious that for them it is less work and more profitable, and that it is attractive for proprietary apps... but this showcases exactly the kind of problem of this approach: you are getting blackbox software from a bunch of randos, not free software from a trusted distro.
1) They really should be manually reviewing at least new dev accounts. Checking not only every new app but every update to new app (easy enough to put something harmless and then push the malicious part as an update) is a lot of work, but if any rando can create an account and start publishing apps? That is bad
2) So much work put into containerization/sandboxing, and you just let anyone distribute apps that ask for people's logins. I mean, it is good that apps can't go steal your browser cookies or replace your bootloader, don't get me wrong. But looks like there was some easier, low-tech work (having people check apps for obvious red flags) that needed to be done anyway, and it was not.
Completely agree. This is not something you're going to pick up easily except via manual review.

3) They should ban absolutely all cryptocurrency apps regardless. First they are exceptionally high-risk, but also fuck ponzicoins.
Mark Shuttleworth already voted not to do that: https://www.gamingonlinux.com/2024/02/snap-store-from-canonical-ubuntu-hit-with-another-crypto-scam-app/

Also, Alan Pope's article mentions that someone lost 490k to one of these crypto scam apps.

4) The snap store is a (partial) move from a repository that Canonical actually maintains themselves (maybe badly, but they put the software there and could make all choices) to a store where they are just a middleman, and that lets devs keep control. It is obvious that for them it is less work and more profitable, and that it is attractive for proprietary apps... but this showcases exactly the kind of problem of this approach: you are getting blackbox software from a bunch of randos, not free software from a trusted distro.
This is probably an unpopular opinion, but I want proprietary software on Linux. If the Snap Store is the only way I can download Adobe After Effects, I'm completely willing to do that. The Snap Store and Flathub makes it easier for Adobe to target Linux should they ever change their mind about whether to support it in the next 15 years.

iOS doesn't have this problem on nearly the same scale despite how much more popular their app store is than the Snap Store. Yes, malicious apps have found their way onto the App Store over the past 15+ years, but only a small number of them and not regularly. Almost every app on iOS is proprietary. Yes, they have a lot more manpower to review the apps, but it shows it's possible to safely vet proprietary software.

Preventing this malware from getting on the Snap Store doesn't require analyzing the code. It requires a reviewer to realize this company is impersonating popular finance-related software they did not develop. What's that saying? "When you're wearing rose-tinted glasses, all the red flags just look like flags."


Last edited by pleasereadthemanual on 19 March 2024 at 1:22 pm UTC
kerossin Mar 19
Ok, so what's the point of the Snap Store?

I thought the whole point of having a closed and official Canonical-controlled store was trust - you will be getting only legit apps approved by Canonical and not some wild west of community sources.

But since Canonical does no checks it's pointless.

Random user: Hey, this is PayPalV2.
Canonical: Welcome aboard! Don't reply, this was an automated message
Well, the original point of having a Snap store was to have containerized desktop apps on Linux desktop.

Anyway, is this happening on Flathub too, or snap is just more discussed with this issue?

I think you're conflating Snaps themselves and the Snap Store.

I'm not talking about the actual packaging of apps, I'm talking about the place where you get them.

Canonical chose to keep the store itself proprietary and not have the stores configurable in their implementation of snapd.
nenoro Mar 19
is jaxxliberty a NSFW app with lot of scams from africa and singapore ?
Brokatt Mar 19
View PC info
  • Supporter
Popeye is such a great guy. Even though he's left Canonical behind, he's still involved with Ubuntu and Snaps.

Popeye?

Sorry I meant popey ofc :) Alan "popey" Pope used to host the Ubuntu Podcast among a lot of things. A pretty prominent figure in the Ubuntu community and just a lovely nerd.


Last edited by Brokatt on 19 March 2024 at 3:43 pm UTC
WYW Mar 19
They should require that the official project website links to the snap store package to verify that it's from them. Then they can at least do a basic automated verification process.

For hobby repackagers, like the people who wrap old games, just have a big fat "Unverified Publisher, Confined but Potentially Unsafe, Guard your Personal Information" badge.
I have a profoundly insightful contribution to make to the discussion:

I think something like 'Who’s at the door? ... Canonicals snap store' would rhyme better.
eldaking Mar 20
This is probably an unpopular opinion, but I want proprietary software on Linux. If the Snap Store is the only way I can download Adobe After Effects, I'm completely willing to do that. The Snap Store and Flathub makes it easier for Adobe to target Linux should they ever change their mind about whether to support it in the next 15 years.

iOS doesn't have this problem on nearly the same scale despite how much more popular their app store is than the Snap Store. Yes, malicious apps have found their way onto the App Store over the past 15+ years, but only a small number of them and not regularly. Almost every app on iOS is proprietary. Yes, they have a lot more manpower to review the apps, but it shows it's possible to safely vet proprietary software.

Preventing this malware from getting on the Snap Store doesn't require analyzing the code. It requires a reviewer to realize this company is impersonating popular finance-related software they did not develop. What's that saying? "When you're wearing rose-tinted glasses, all the red flags just look like flags."

Nah I agree and I think most people would - most games are proprietary, and we aren't just giving up those, plus a lot of other apps including some we might need for work (so not even a choice).

I'm just saying that the model preferred by proprietary apps - a store that sells pre-packaged, ready-to-run software - has this drawback, moving trust from "the people that make your OS" into "a million devs that it is hard to hold accountable". It isn't even about having access to source code to audit it, just about the hands-off approach, about the implicit expectations of developers in each case, etc.
This is probably an unpopular opinion, but I want proprietary software on Linux. If the Snap Store is the only way I can download Adobe After Effects, I'm completely willing to do that. The Snap Store and Flathub makes it easier for Adobe to target Linux should they ever change their mind about whether to support it in the next 15 years.

iOS doesn't have this problem on nearly the same scale despite how much more popular their app store is than the Snap Store. Yes, malicious apps have found their way onto the App Store over the past 15+ years, but only a small number of them and not regularly. Almost every app on iOS is proprietary. Yes, they have a lot more manpower to review the apps, but it shows it's possible to safely vet proprietary software.

Preventing this malware from getting on the Snap Store doesn't require analyzing the code. It requires a reviewer to realize this company is impersonating popular finance-related software they did not develop. What's that saying? "When you're wearing rose-tinted glasses, all the red flags just look like flags."

Nah I agree and I think most people would - most games are proprietary, and we aren't just giving up those, plus a lot of other apps including some we might need for work (so not even a choice).

I'm just saying that the model preferred by proprietary apps - a store that sells pre-packaged, ready-to-run software - has this drawback, moving trust from "the people that make your OS" into "a million devs that it is hard to hold accountable". It isn't even about having access to source code to audit it, just about the hands-off approach, about the implicit expectations of developers in each case, etc.
You're right. The "pull" model distros use is necessarily more secure than the "push" model stores like Snap and Google Play use. Unfortunately, I also think it's the right model. It's not perfect, but you can definitely do a much better job than Canonical at policing your store. Even Debian can't package all the software you want or need. It's the main reason I run Arch Linux—it's very easy to get software I want up and running through an AUR PKGBUILD someone has written.

Even Flatpak/Snap isn't for everybody; Blackmagic Design thinks their DaVinci Resolve software is too complex to be packaged that way. I can't imagine what Adobe would think if they entertained the idea.

Installing the software you want on Linux should not be this hard. I think the Snap and Flathub idea is the right way to go. Flathub seems to have a lot more moderation, and they're tightening up moderation even though they have had no malware reports thus far.

I realize now that Flathub has actually hit 1.7 billion downloads, not million. It might be more popular than the Snap Store now. It still has fewer apps, though.


Last edited by pleasereadthemanual on 20 March 2024 at 4:39 am UTC
hardpenguin Mar 21
Knock knock. Who's there? Snap. Snap who? Oh snap I got scammed again.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register