• Previously: In February, Popey blogged about scam Bitcoin wallet apps in the Canonical Snap store, one of which netted $490K. The snap was eventually removed and some threads were started on the Snapcraft forum.
• Groundhog Day: Today, another ten scam Bitcoin wallet apps were published in the Snap Store. They have names like exodus-build-96567 published by digisafe00000. These were removed one day later but reappeared under a new account codeshield0x0000. There's no indication they are from the same developer as previous scam Exodus Wallet snaps.
• Presentation: The Snap Store page for exodus-build-96567 shows a minimal effort listing. It shows up in searches within the desktop graphical storefront and should not be installed. It claims to be "Secure, Manage, and Swap all your favorite assets" but is actually a scam.
• Open wide: The exodus-build-96567 snap was only published today. Unpacking it shows mostly snap scaffolding and a single exodus-bin application binary. The snapcraft.yaml used to build the package needs network access.
• Digging Deeper: Unlike the previous Flutter-based scam app, this one is a web page in a WebKit GTK wrapper. If the network is not available, it shows an empty window with an error. When the network is up, it loads remote content and renders it. The javascript has a dictionary of allowed words for the recovery key. It sends "POST" requests to a /collect endpoint and "pings" a /ping endpoint. All this is done over HTTP.
• Conclusion: It's easy to publish scam apps in the Canonical Snap Store and they often go unnoticed. Previous posts may have had little impact. It would be great if the Canonical store team could prevent these apps from reaching users. Popey has reported the app to the Snap Store team.