Every article tag can be clicked to get a list of all articles in that category. Every article tag also has an RSS feed! You can customize an RSS feed too!
We do often include affiliate links to earn us some pennies. See more here.

Snap store from Canonical (Ubuntu) hit with another crypto scam app

By - | Views: 39,569

Not the first time this has happened, but recently the Snap store from Canonical hosted a scam bitcoin app that claimed to be "Exodus wallet" that caused a user to lose money.

Posting on the Snapcraft forum an unfortunate user noted their wallet has been emptied after using it, and a day later a Canonical staffer mentioned it had now been removed and they were investigating the incident.

Mark Shuttleworth, CEO of Canonical, has now jumped into the discussion in another forum post to note that while "cryptocurrency is largely a cesspit of ignoble intentions even if the mathematics are interesting", Shuttleworth doesn't think that "banning cryptocurrency apps helps" as "If anything, it would make using Linux much worse.".

Additionally, Shuttleworth also opened an additional forum post to discuss requiring "more comprehensive proof of publisher identity for every publisher" for Snaps. So if you have good ideas for them to implement, to make Snap publishing more secure - drop a reply in the linked post.

Hopefully Canonical come up with a good solution, because repeating issues like this reflect pretty poorly on Snap, Canonical and Ubuntu.

Alan Pope (formerly of Canonical, now Axiom) wrote up two blog posts on it "Exodus Bitcoin Wallet: $490K Swindle" and the follow-up "Exodus Bitcoin Wallet: Follow up 2.0" that you may want to read for a little more background.

Article taken from GamingOnLinux.com.
Tags: Security, Misc, Ubuntu
12 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. Find me on Mastodon.
See more from me
21 comments
Page: «2/3»
  Go to:

M@GOid Feb 23
If Google and Apple, with all that power, cannot keep their stores clean all the time, how is that a surprise that a malicious app got into Canonical's app store?
MadWolf Feb 23
i know a way that can fix this problem but it may be easier said than done

1. mark any snap that has been uploaded by any one that is not part of the project team or Canonical as unofficial
2. all unofficial apps need to be checked to make shore the snap dose not contain malicious code
3. all snaps need to be randomly checked to make shore the snap dose not contain malicious code
F.Ultra Feb 23
View PC info
  • Supporter
Quoting: MadWolfi know a way that can fix this problem but it may be easier said than done

1. mark any snap that has been uploaded by any one that is not part of the project team or Canonical as unofficial
2. all unofficial apps need to be checked to make shore the snap dose not contain malicious code
3. all snaps need to be randomly checked to make shore the snap dose not contain malicious code

Well it is how to perform #2 and #3 that is the question, not that it should be done, but how. AFAIK they are closed source.
Ehvis Feb 23
View PC info
  • Supporter Plus
The one thing that this demonstrates is that some people seem to trust the snap store as a safe place where it should be treated with the same caution as if it was the open internet. Of course that still wouldn't help some people, but I most Linux users should be able to manage.
LoudTechie Feb 23
They're trying to do something that full blown governments struggle to do.
Trustworthy international financial services.

I only see 3 real solutions to this issue they could try.
1. Find 1+ less scammy open source projects providing crypto wallets and just make theirs the only ones on your store.
2. one build the wallet yourself and make it the only one on your store.
3. obtain the cd containing the program personally at the producer's house and inspect their id-cart.


3 is basically how it is done for every individual intra european banking customer, which also shows its weakness. This is the level the EU checks consumers not banks. Snap simply doesn't have the recources to do that for proprietary apps.


Last edited by LoudTechie on 23 February 2024 at 8:41 pm UTC
Quoting: Purple Library GuyI'm not sure I understand the problem. Was this not the behaviour he was expecting? Is the problem that the crypto app stole his money instead of the exchange doing it?
I'm reading Tracers in the Dark at the moment. I'm up to the part where Mt. Gox lost 500,000 bitcoins (every single Bitcoin they were entrusted with), managed to find 200,000 from an old wallet, and the rest remains lost.

Cryptocurrency exchanges (huge ones) have fallen again and again over the years.

If you're going to hold a lot of cryptocurrency, you want to hold that in a private wallet... ironically, you might be better at protecting it yourself than these exchanges with so many resources.

And I wouldn't trust just any store. Get the wallet software directly from the developer.

This is something AppImage is best suited for, actually...
Boldos Feb 24
View PC info
  • Supporter
Quoting: Hannes
Quoting: SzkodnixOh no!

Anyway speaking of Flatpak...

I use mostly snaps and very few flatpaks because Snapcraft is way ahead of Flathub in terms of verified (mainstream-ish) apps. Unverified apps should always have a big fat warning sign.
Yep, this ^^^^!
Eike Feb 24
View PC info
  • Supporter Plus
Quoting: Tuxee
Quoting: ShabbyXHappy to say I finally switched to Debian last week, no more Canonical nonsense for me thank you very much.

Does Debian have a crypto wallet app in its core repositories? If no (and given that you need such one) - how would you evade a potential scam? The dude entered his 12-word super secret recovery key...

I don't know nothing about using crypto currencies, but I found these apps e.g.:
https://packages.debian.org/bookworm-backports/electrum
https://packages.debian.org/bookworm/monero
https://packages.debian.org/sid/dogecoin
Quoting: Eike
Quoting: Tuxee
Quoting: ShabbyXHappy to say I finally switched to Debian last week, no more Canonical nonsense for me thank you very much.

Does Debian have a crypto wallet app in its core repositories? If no (and given that you need such one) - how would you evade a potential scam? The dude entered his 12-word super secret recovery key...

I don't know nothing about using crypto currencies, but I found these apps e.g.:
https://packages.debian.org/bookworm-backports/electrum
https://packages.debian.org/bookworm/monero
https://packages.debian.org/sid/dogecoin
Ah yes, Dogecoin. The most sensible of the crypto IMO. After all, it's perfectly reasonable for the ruler of Venice to be issuing coinage.

Spoiler, click me
On second thought, I should probably explain the obscure joke: Renaissance Venice was ruled by a sort of elected duke, called the doge. Useless facts for your entertainment and edification!


Last edited by Purple Library Guy on 24 February 2024 at 6:26 pm UTC
Milanium Feb 25
I published to the snap store. It is largely unmoderated. They have 100 something automated tests that check for formalities and if one of those fails, they tell you to fix it because they don't want to manually review your app and they also don't do it in a timely manner.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register


Or login with...
Sign in with Steam Sign in with Google
Social logins require cookies to stay logged in.