Snap Store, a centralized application repository for distributing snap packages operated by Canonical, allows developers to publish applications with relatively low barriers to entry, while users can install and update software automatically through a single trusted channel. However, that trust is now under strain.
In a blog post, Alan Pope, a longtime Ubuntu community figure and former Canonical employee who remains an active Snap publisher, maintaining nearly 50 snaps with thousands of users, warns of a worrying trend affecting Snap packages. Here’s what it’s all about.
For more than a year, Pope and other security professionals have documented a persistent campaign of malicious snaps impersonating cryptocurrency wallet applications. These fake apps typically mimic well-known projects such as Exodus, Ledger Live, or Trust Wallet, prompting users to enter wallet recovery phrases, which are then transmitted to attackers, resulting in drained funds.
Sure is a good thing Ubuntu doesn’t sometimes sneakily install a Snap when you try to use
aptto install a package, such as with Firefox. Tricking users into using Snap without realizing it, making them unknowingly vulnerable to exploits like this, would be really really bad and unethical on Canonical’s part.That is not what is happening at all.
Just so nobody is confused or gets afraid of their install: Getting the Firefox snap installed via Ubuntus apt package does not make users vulnerable to what is talked about here and is just as safe as the apt package version. For Firefox snaps might even be safer since you will probably get security patches earlier than with apt upgrades and get some sandboxing. In both cases you are pulling signed binaries from Canonical servers.
The post is about third-party fake snaps. If you run a snap install command from a random web site or LLM wkthout checking it, or making a typo, then you are at risk. If Ubuntu didnt have snaps, this would be malicious flatpaks. If Ubuntu didnt have flatpaks, it would be malicious PPAs. And so on. Whatever hosted resource gets widely popular and allows users to blindly run and install software from third-parties will be abused for malware, phishing, typosquatting and so on. This is not the fault of the host. You can have access to all the apps out there you may ever want or you can safely install all your apps from one trusted source. But it’s an illusion that you can never have both.
People have opinions about if snaps are a good idea or not and thats fine but there shouldnt be FUD. If you are using Canonicals official snaps and are happy with them you dont have to switch.