The "snap store" seems to be an app store for Linux. Unfortunately, there is apparently very little vetting of apps published there, and someone published a malware app. And it's not the first...
The "snap store" seems to be an app store for Linux. Unfortunately, there is apparently very little vetting of apps published there, and someone published a malware app. And it's not the first time.
How is it that people can so easily publish scam Bitcoin wallet applications in the Snap store?
Frankly, it’s by design. One of the goals is to automate the whole Snapcraft publishing and review pipeline so there’s fewer (expensive and slow) humans in the loop.
To register a name for any application in the store, all a scammer needs is a store account. They can use any old email address, and create a store account in minutes. They don’t need to pay, give a business address or validate their identity with a government ID.
Once they have a store account, they can login with the command-line snapcraft tool, used for building their dodgy snap.
This isn't all that different from how people publish open source libraries. (For example, publishing fake npms.) However, publishing a library is more indirect, since they need to convince an app to pick it up.
Ouch. Could’ve just downloaded and installed that deb instead of… Guess I’ll keep avoiding snaps and flatpaks in favor of blindly installing things from the AUR.
I looked on the upstream Exodus website to see if there was any mention of the snap.
Notably the snapped application was neither linked nor even mentioned. There are deb and zip files for a Linux build of their Exodus Wallet application, though.
Ouch. Could’ve just downloaded and installed that deb instead of… Guess I’ll keep avoiding snaps and flatpaks in favor of blindly installing things from the AUR.
The "snap store" seems to be an app store for Linux. Unfortunately, there is apparently very little vetting of apps published there, and someone published a malware app. And it's not the first time.
This isn't all that different from how people publish open source libraries. (For example, publishing fake npms.) However, publishing a library is more indirect, since they need to convince an app to pick it up.
Ouch. Could’ve just downloaded and installed that deb instead of… Guess I’ll keep avoiding snaps and flatpaks in favor of blindly installing things from the AUR.