Fake crypto wallets have flooded the official Ubuntu app store

For not the first time, the popular Linux application store, Snap Store, operated by Canonical, has found itself harboring fraudulent cryptocurrency wallets masquerading as renowned brands. Previously, in February of this year, security researchers had already documented the emergence of similar counterfeit applications. These enabled cybercriminals to abscond with approximately $490,000 in bitcoins from unsuspecting users.

This instance saw the upload of ten counterfeit wallets to the Snap Store, purporting to be popular applications such as Exodus, Polygon, Metamask, and Tronlink, among others. All were published by a dubious publisher under the codename “digisafe00000,” but were later republished under the account “codeshield0x0000.”

One such application, identified as “exodus-build-96567,” was scrutinized by independent researcher Alan Pope. The application disguises itself as the legitimate Exodus wallet, promising users to secure the storage and exchange of various cryptocurrencies through a single, user-friendly interface.

The creators of this deceptive software went to great lengths, mimicking the official app store and using enticing descriptions. “Forget about managing a million different wallets and seed phrases. Securely store, manage, and exchange all your favorite assets in one beautiful and easy-to-use wallet,” proclaimed the advertisement.

However, placing trust in these statements was fraught with dire consequences. Attempts to create a new wallet resulted in an error, but entering a recovery phrase for an existing wallet saw these critical details immediately transmitted to a remote server controlled by the fraudsters.

A meticulous analysis of the malicious application’s code revealed an embedded dictionary containing thousands of valid words used for recovering cryptocurrency wallets. Upon entering a correct recovery phrase of 12, 18, or 24 words, this information was instantly sent to the criminals via an HTTP request, allowing them full access to the victim’s funds.

Furthermore, the fraudulent application periodically pinged a remote server, transmitting the specific name of the installed program. Likely, this allowed the criminals to track active users for further attacks or statistical collection.

Following the incident’s discovery, the Canonical team was notified, and the fake wallets were promptly removed. However, this victory proved only temporary. Within a day, the counterfeit applications reappeared under a new account (the aforementioned “codeshield0x0000”).

Thus, the struggle against such applications might persist indefinitely, yet a more sensible approach would be to tighten the scrutiny of applications published in Canonical’s official store, especially those closely related to cryptocurrency and finance.

In today’s world, cybercriminals are ever vigilant, refining their deceitful methods with each passing day. Therefore, users must remain alert, download software only from fully trustworthy sources, and never disclose critical data to dubious services.