Fake crypto wallets in the official Ubuntu catalog are an indicator of a more serious threat

For some time, a fake crypto wallet was distributed through the official Ubuntu Snap application directory, funds from which were immediately transferred to a third-party address. One of the users managed to steal 9.84 BTC.

This is typical supply chain attack, one of the most dangerous types of attacks. It involves introducing malware into official software delivery channels. For example, in firmware from the equipment manufacturer, official software updates that are distributed through official websites, etc.


The fake Exodus crypto wallet was published in Canonical's official Snap catalog on February 6, 2024 (screenshot) and stayed there for six days.

On February 12, one of the users on the Snapchat forum told about a strange bug: after restoring access to the wallet, it turned out to be empty, and from the history of the wallet it followed that all funds were transferred to a foreign address.

Software learning in a virtual machine with Wireshark showed that the loss of funds from a wallet is not a bug, but a feature. The app itself was a fraudulent counterfeit original Exodus wallet.

It differed from the original wallet in the unusually small size of the binary. The fake program was created using the framework Flutter unlike the original on Electron.

When first launched, the application immediately asked for a seed phrase to restore access to the online wallet, after which it was immediately emptied.

As a result, the program was removed from the Snap catalog.

Canonical founder and Ubuntu development lead Mark Shuttleworth admittedthat there are more and more malicious applications using social engineering tricks. He saidthat “we live in an increasingly dangerous world” and promised to take additional security measures for the Ubuntu software directory, although the company can do little there.

Acceptance of applications to the catalog is automated, and publishing your application is quite easy. This is not the first fake crypto wallet or miner to be published on the Ubuntu directory over the past few years. And some of the malware still runs on users’ computers. For Ubuntu there is one-linerwhich allows you to remove all “crypto junk” from the system at once:

for s in 2048buntu hextris freecraft bip-web bitwallet btcwal btcwallet coinbase cryptowal electrum-wallet2 exodus exoduswal exoduswalet exodwallet guarda komodo ledger-live-wallet ledger1 ledgerlive liveledger metamask new-electrum-wallet sparrow sparrow-wallet sparrowwalet sparrowwallet trezor-wallet trezorwallet trustwallet; do sudo snap remove --purge $s; done

conclusions

Protecting digital assets and personal information requires certain efforts and the use of various technologies, including a reliable encryption system and secret sharing. In many ways, this is the personal responsibility of the citizen himself. The state, police and court – they all know how to work with digital assets, but a person is primarily personally responsible for protecting his own property.

Therefore, it is important to monitor the situation, be aware of existing threats and not take anything for granted. For example, downloading a binary application even from the official website or catalog is already a certain risk, because we do not see the source code and do not know what is inside this application. In this sense, self-compilation from sources is much safer.

Developers are at an advantage over regular users because they can not only compile a program from source code (which is available to everyone), but also test the code before compiling. Moreover, they can independently write an application with the necessary functionality for themselves and their loved ones. For example, writing the same Bitcoin wallet is relatively simple, since the system APIs open and well documented. The same can be said about video calling applications and many others that you can write for yourself. literally in a few daysif other people's applications are not trustworthy or do not have the necessary functions (or, on the contrary, there is a lot of unnecessary stuff).

Based on the results of the Exodus story, we can conclude that the danger of downloading binary applications even from official catalogs has not disappeared. Malicious code is distributed from PyPi packages And via the App Store catalog. It can be assumed that scammers will continue to come up with new ways to inject malicious code into official software delivery channels.