Malicious Crypto Wallet Apps Found in Snap Store
Ten malicious applications disguised as official clients for popular cryptocurrency wallets have been discovered in the Snap Store, the app catalog maintained by Canonical and promoted for use in Ubuntu. These apps had no connection to the legitimate developers and performed harmful actions. Notably, the apps were labeled as “Safe” in the catalog, creating the false impression that they had been verified and were secure.
The applications were published by a user named digisafe00000 under names like “exodus-build-96567,” but appeared in the app list as typical crypto wallet apps such as Exodus, Tronlink, Polygon, Electrum, Uniswap, Ladger, Metamask, JaxxLiberty, Avalanche, and Trustwallet.
Although these apps have now been removed from the Snap Store, they were quickly re-uploaded by a new user, codeguard0x0000, with slightly modified package names (for example, “exodus-build-71776” and “metamask-stable28798”).
Previous Incidents and Community Response
Similar activity was observed in February, which resulted in the theft of about 9 bitcoins (approximately $500,000) from a user who installed a fake Exodus client. Since the creators of these malicious apps can easily bypass the automatic package verification system, some members of the Canonical forum have suggested banning the publication of unverified cryptocurrency-related apps in the Snap Store. This would be similar to the 2022 decision by the SourceHut development platform to prohibit the publication of cryptocurrency projects.
How the Malicious Apps Work
The fake apps are essentially shells that display web pages from external sites (for example, “http://89.116.xxx.145:5000/public/exodus/index.html”) using a WebKit GTK wrapper, simulating the appearance of a regular desktop application. In the February incident, the fake apps were written in Flutter. The only working features are importing keys and wallet recovery; attempts to create a new wallet result in an error message.
If a user imports an existing wallet, the recovery phrase is sent to the attackers’ server, and the user receives an error message about wallet recovery. Once the attackers have access to the keys, they withdraw all funds from the victim’s wallet.