Snap Store, a centralized application repository for distributing snap packages operated by Canonical, allows developers to publish applications with relatively low barriers to entry, while users can install and update software automatically through a single trusted channel. However, that trust is now under strain.

In a blog post, Alan Pope, a longtime Ubuntu community figure and former Canonical employee who remains an active Snap publisher, maintaining nearly 50 snaps with thousands of users, warns of a worrying trend affecting Snap packages. Here’s what it’s all about.

For more than a year, Pope and other security professionals have documented a persistent campaign of malicious snaps impersonating cryptocurrency wallet applications. These fake apps typically mimic well-known projects such as Exodus, Ledger Live, or Trust Wallet, prompting users to enter wallet recovery phrases, which are then transmitted to attackers, resulting in drained funds.