Hackers are invading Snapcraft, the central app store for Ubuntu and a major software repository for other Linux distributions. Security experts warn of cybercriminals impersonating popular cryptocurrency wallets and taking over dormant SNAP packages.
Someone likely lost $490,000 in bitcoin to fraudsters who placed a malicious version of the Exodus Wallet app on Snapcraft last year, according to the transactions. Another user who downloaded a fake “Ledger Live” snap complained of being scammed out of $10,000.
Dozens of suspicious e-wallets were flagged last year by Alan Pope, Director of Developer Relations at Anchore and a former Canonical employee.
Now Pope warns that cybercriminals are shifting their tactics. Rather than publishing fake apps directly, crooks are hunting for published applications whose publishers’ domain registrations have expired.
“There’s a relentless campaign by scammers to publish malware in the Canonical Snap Store. Some get caught by automated filters, but plenty slip through,” the expert details in a new blog post on malware peddlers.
Using new tactics, the scammers swoop in, register the expired domain, trigger a password reset on the Snap Store account, and gain control of a legitimate, trusted publisher account with an established history.
Snaps are one of the ways to deliver apps in Linux. These are self-contained software packages bundling apps with all required dependencies. Snaps are compressed and cryptographically signed. Linux users find snaps on Snap Store named Snapcraft, which is maintained by Canonical, the developer of Ubuntu.
Pope suspects the perpetrators are located in or near Croatia, and their main goal is to compromise cryptocurrency wallet users.
“The malware masquerades as genuine apps like Exodus, Ledger Live, or Trust Wallet. It asks users to enter their wallet recovery phrase, sends those credentials to the criminals, displays an error to the user, and by the time anyone realizes what’s happened, the wallet is empty,” the expert warns.
Canonical promptly removes detected malicious packages. However, “it’s a relentless game of whack-a-mole.”
Initially, criminals published malicious apps using plausible screenshots and storefront pages. When stopped by text filters, attackers shifted to typosquatting. When this also no longer worked, crooks published innocuous, unrelated snap names like “lemon-throw” or “alpha-hub,” waited for approval, and pushed a second revision containing a fake crypto wallet app.
Curious what others think about this story? Contribute your thoughts to the debate below.
The newest tactic is known as domain squatting, and Pope calls it “a new low.” If the repository changes hands, users might be unaware that their snap, installed months or years ago from reputable publishers, suddenly turns malicious after an update.
“I’ve identified at least two domains this has happened with recently: storewise.tech and vagueentertainment.com. There are almost certainly more. This is a significant escalation.”
Pope warns Snap users to be extremely cautious with crypto apps from any source, on all app stores. It’s best to install them directly from official project websites.
Hackers have been invading all open-source package ecosystems recently. For example, Cybernews has reported on widespread malicious packages on npm and PyPI. GitHub has also been abused to distribute credential-stealing malware. Malicious apps are constantly discovered on smartphone app stores or in browser extension marketplaces, and cybercrooks have used self-propagating malware like Shai-Hulud to automate attacks.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked