More than 10 phishing wallets detected on the Snap Store, be careful

[Forsyth Jones]

Published articles reporting phishing in stores:

Canonical cracks down on crypto cons following Snap Store scam spree

Guess Who's Back? Exodus Scam BitCoin Wallet Snap!


Never download wallets like Exodus, Electrum, etc. from the spap store, the chances of being phished are extremely high. Never download any wallet outside of their respective official websites.

Wallets like Electrum are only available on their official website and the download page states that it is available on the Google Store:



The same goes for the official Exodus website:



When downloading any software wallet, it's highly recommended to check its gpg signatures to ensure the integrity of the file.


Doing some research within the forum, I found some threads teaching how to check gpg signatures of software downloaded on different OS:
   
[GUIDE] How to Safely Download and Verify Electrum [Guide]

[Eng: Tutorial] PGP Signature - Encrypt/Decrypt message - Fingerprint

How to Verify PGP Signature of Downloaded Software on Linux


Some tips to avoid falling for scams:

• Always have a decoy wallet, in this wallet you must reserve a amount that you are willing to lose (something like US$3 ~ 50) when testing a new wallet just downloaded, you enter this test decoy seedphrase, after all, these fake wallets usually have a malicious code to drain wallets immediately as soon as a wallet with amount is imported, so if your decoy wallet is drained, you will know right away that it is a scam wallet.
• Simply have a hardware wallet, preferably open source or an airgap computer exclusively for bitcoin wallets.

I found a very interesting post of NotATether about how to avoid being hacked (or REKT) by fake wallets and other tips as well: Protect yourself from fake wallet software (guide)

[1714568690]

1714568690

[1714568690]

1714568690

[1714568690]

1714568690

[Hatchy]

Always have a decoy wallet, in this wallet you must reserve a amount that you are willing to lose (something like US$3 ~ 50) when testing a new wallet just downloaded, you enter this test decoy seedphrase, after all, these fake wallets usually have a malicious code to drain wallets immediately as soon as a wallet with amount is imported, so if your decoy wallet is drained, you will know right away that it is a scam wallet.

Should we use our funds to test for fake or malicious wallet? The points you stated above may be right to some extent but to be frank, you have to make sure you are downloading these wallets apps from the right source, which everyone knows as their official web. Play store, can no longer be trusted so even if you are downloading from Google Play store or other official stores, you should make sure that the website redirects you there. Don't click unknown links to download so as to avoid downloading Trojans or malicious apps.
This way, you don't have to test the authenticity of the wallet with your funds or having to try a decoy just as you stated in your op.

[freyacartinsmith]

It's crucial to stay vigilant when using the Snap Store and avoid suspicious wallets to protect against phishing scams. Consider using additional security measures like two-factor authentication for added protection.

[m1nu5]

Consider using a separate device or a virtual machine to test new wallets. This can help isolate any potential security risks and protect your primary devices and accounts.

[airbin]

Always have a decoy wallet, in this wallet you must reserve a amount that you are willing to lose (something like US$3 ~ 50) when testing a new wallet just downloaded, you enter this test decoy seedphrase, after all, these fake wallets usually have a malicious code to drain wallets immediately as soon as a wallet with amount is imported, so if your decoy wallet is drained, you will know right away that it is a scam wallet.

Should we use our funds to test for fake or malicious wallet? The points you stated above may be right to some extent but to be frank, you have to make sure you are downloading these wallets apps from the right source, which everyone knows as their official web. Play store, can no longer be trusted so even if you are downloading from Google Play store or other official stores, you should make sure that the website redirects you there. Don't click unknown links to download so as to avoid downloading Trojans or malicious apps.
This way, you don't have to test the authenticity of the wallet with your funds or having to try a decoy just as you stated in your op.

Obviously for someone with experience it sounds unnecessary, but most people don't even understand why an App is in the store, so for the average user, they only know how to go to their app store and download. What is clear is that if you download an App to store money you should follow a security guide. Any Wallet, even a HW, can be compromised. If you use trust as a basis for downloading any software, you are making the first mistake, even if you download a wallet from the same website and follow any of the steps mentioned. Then, testing a wallet with $100 does not offend my knowledge, it strengthens my distrust.

[Forsyth Jones]

Should we use our funds to test for fake or malicious wallet? The points you stated above may be right to some extent but to be frank, you have to make sure you are downloading these wallets apps from the right source, which everyone knows as their official web. Play store, can no longer be trusted so even if you are downloading from Google Play store or other official stores, you should make sure that the website redirects you there. Don't click unknown links to download so as to avoid downloading Trojans or malicious apps.
This way, you don't have to test the authenticity of the wallet with your funds or having to try a decoy just as you stated in your op.

As I said, if you are willing to lose an amount that is negligible for you, like US$3 - 5, after all, this is the best way to know if the application is malicious once and for all, unless be more complex malware waiting for you to raise a considerable sum to run the scan. GPG signature, source on github and official website checks are essential forms of verification, in addition to a brief search on Google, forums and other communities for the wallet name.

[Amphenomenon]

Should we use our funds to test for fake or malicious wallet? The points you stated above may be right to some extent but to be frank, you have to make sure you are downloading these wallets apps from the right source, which everyone knows as their official web. Play store, can no longer be trusted so even if you are downloading from Google Play store or other official stores, you should make sure that the website redirects you there. Don't click unknown links to download so as to avoid downloading Trojans or malicious apps.
This way, you don't have to test the authenticity of the wallet with your funds or having to try a decoy just as you stated in your op.

As I said, if you are willing to lose an amount that is negligible for you, like US$3 - 5, after all, this is the best way to know if the application is malicious once and for all, unless be more complex malware waiting for you to raise a considerable sum to run the scan. GPG signature, source on github and official website checks are essential forms of verification, in addition to a brief search on Google, forums and other communities for the wallet name.

To be frank Hackers are creative and decoy wallet seems good but don't forget when you using a decoy wallet, you have to keep it secure as if its your main wallet because if it's pretty easy for them to get this wallet, they will have a feeling that it's just decoy wallet and start chasing the main wallet while you already spoken of the chance of were this malicious attack may not occur early or wait till some certain amount of funds is in the wallets before the attack launched I believe this is mainly be for closed source wallets because others may likely be able to identify such malicious attacks on open source wallets early.

This guide:Protect yourself from fake wallet software (guide) is actually the best way to avoid all these though it's just for desktop wallets but it as always been said not to store your coins on your mobile wallet and also it is recommended to use open source wallet always.
In fact if there are any open source software which can be used as an alternative to any software you're using then go for it instead and this is among the main reasons Linux is more secured than Windows

[Bitcoin_Arena]

It's crucial to stay vigilant when using the Snap Store and avoid suspicious wallets to protect against phishing scams. Consider using additional security measures like two-factor authentication for added protection.

2-factor authentication is mostly a thing of centralized exchanges and custodial wallets. It does not help if you import your seed to a malicious wallet software. The hacker or scammer can spend the Bitcoin anytime he/she wants.

But yeah people have been talking about macOS and Linux being much safe operating systems, but this is no guarantee the hacker will try to create malware for their app stores too. Always verifying the signatures is key!

[ABCbits]

Snap already have poor reputation on Linux community and this discovery will make it worse. And after looking at link you mentioned, it could be avoided if Canonical simply check whether who submit the application have same name/company with the one who create the software.

Never download wallets like Exodus, Electrum, etc. from the spap store, the chances of being phished are extremely high. Never download any wallet outside of their respective official websites.

In addition, your suggestion also apply when you download software from flatpak/flathub. Some software on it isn't created by the original creator. For example, Wasabi Wallet on flatpak isn't created by zkSNACKs[1].

[1] https://github.com/zkSNACKs/WalletWasabi/issues/12595#issuecomment-1974175418

[sherlockphone]

And never ever download the Bitcoin core from the snap store either

[Alana Arden]

Always have a decoy wallet, in this wallet you must reserve a amount that you are willing to lose (something like US$3 ~ 50) when testing a new wallet just downloaded, you enter this test decoy seedphrase, after all, these fake wallets usually have a malicious code to drain wallets immediately as soon as a wallet with amount is imported, so if your decoy wallet is drained, you will know right away that it is a scam wallet.

Should we use our funds to test for fake or malicious wallet? The points you stated above may be right to some extent but to be frank, you have to make sure you are downloading these wallets apps from the right source, which everyone knows as their official web. Play store, can no longer be trusted so even if you are downloading from Google Play store or other official stores, you should make sure that the website redirects you there. Don't click unknown links to download so as to avoid downloading Trojans or malicious apps.
This way, you don't have to test the authenticity of the wallet with your funds or having to try a decoy just as you stated in your op.

Obviously for someone with experience it sounds unnecessary, but most people don't even understand why an App is in the store, so for the average user, they only know how to go to their app store and download. What is clear is that if you download an App to store money you should follow a security guide. Any Wallet, even a HW, can be compromised. If you use trust as a basis for downloading any software, you are making the first mistake, even if you download a wallet from the same website and follow any of the steps mentioned. Then, testing a wallet with $100 does not offend my knowledge, it strengthens my distrust.

After reading the thread, I had the same question as Hatchi: Why should we use our funds to investigate fake or malicious wallets? Why even a small amount?
     Later, Airbin gave a nice explanation in its comments. Although I don't know much about technology, but I have a stupid question on this topic that I want to share with everyone. Sorry if anything is wrong. I don't know how well I will be able to explain my question.
     The question was, after receiving this small ($3–$50) amount of funds, how do fake or malicious wallets intend to destroy the wallet? I mean, if they cheat that small amount, those wallets will be under our watch, and we will be careful to manage the wallets. Later they will have no opportunity to cheat.
   Again, it may be that the fake wallet is not emptied after importing these small funds. But later, when we trust these wallets and start depositing good amount of money in them, can they start fraud?
    Although, I don't have a proper idea about Decoy Wallet, but I got some idea about it by searching on Google and I want to know more about Decoy Wallet.

[ABCbits]

And never ever download the Bitcoin core from the snap store either

Some Linux user don't like snap, but do you have any specific reason for saying that? After all, it's published by Bitcoin Core developer and mentioned on https://bitcoincore.org/en/download/.

[NotATether]

And never ever download the Bitcoin core from the snap store either

Some Linux user don't like snap, but do you have any specific reason for saying that? After all, it's published by Bitcoin Core developer and mentioned on https://bitcoincore.org/en/download/.

Well I'm not the person you replied to but if I read a piece of news that says that over 10 fake crypto wallets were uploaded to the Snap store of all places, then I would not be able to trust Snap for downloading crypto wallets after that.

In fact, I do not even trust .DEBs or anything from APT from this purpose as I need to be able to verify that the software is legit.

[ABCbits]

And never ever download the Bitcoin core from the snap store either

Some Linux user don't like snap, but do you have any specific reason for saying that? After all, it's published by Bitcoin Core developer and mentioned on https://bitcoincore.org/en/download/.

Well I'm not the person you replied to but if I read a piece of news that says that over 10 fake crypto wallets were uploaded to the Snap store of all places, then I would not be able to trust Snap for downloading crypto wallets after that.

In fact, I do not even trust .DEBs or anything from APT from this purpose as I need to be able to verify that the software is legit.

That makes sense for someone who highly prioritize security. But average would just download wallet software from certain place (e.g. Snap on Ubuntu or Google Play on Android). And FWIW apt should reject unsigned package or package with invalid signature.

[NotATether]

That makes sense for someone who highly prioritize security. But average would just download wallet software from certain place (e.g. Snap on Ubuntu or Google Play on Android). And FWIW apt should reject unsigned package or package with invalid signature.

What is stopping someone from adding their own signature to the package?

It's not a big problem with other app stores since they show the developer or company name in big bold letters, so forgeries are easy to spot. But most crypto wallets are made by unknown people, and additionally, there is no way to verify that a Snap package signature really does sign an authentic package, because the real developers are not on the platform.

[ABCbits]

That makes sense for someone who highly prioritize security. But average would just download wallet software from certain place (e.g. Snap on Ubuntu or Google Play on Android). And FWIW apt should reject unsigned package or package with invalid signature.

What is stopping someone from adding their own signature to the package?

IIRC in apt the package should be signed by repository owner. So you should trust the owner to verify package added to their repository, while attacker must fool the owner to add malicious package.

It's not a big problem with other app stores since they show the developer or company name in big bold letters, so forgeries are easy to spot. But most crypto wallets are made by unknown people, and additionally, there is no way to verify that a Snap package signature really does sign an authentic package, because the real developers are not on the platform.

But in this case (see image i include), it's not hard to find out that those 10 application should be created or published by multiple different group.


Source: https://popey.com/blog/2024/03/exodus-wallet-part-three/

[AprilioMP]

Wallets like Electrum are only available on their official website and the download page states that it is available on the Google Store:



When downloading any software wallet, it's highly recommended to check its gpg signatures to ensure the integrity of the file.

I downloaded the mobile version of the Electrum wallet to use on Android by clicking Google Play on their official website as in the red circle you did and was immediately directed to the Play Store to download.

Can what I do cause me to have a negative impact later because I don't fully understand how to spot phishing, but at least I always try to download something from the official website to avoid phishing, which is what I fear the most when dealing with internet activity.

[Forsyth Jones]

I downloaded the mobile version of the Electrum wallet to use on Android by clicking Google Play on their official website as in the red circle you did and was immediately directed to the Play Store to download.

Yes, you did it right, this is the correct procedure. The Electrum app for Android is hosted on the Google Play Store.

For desktop wallets, it is always recommended to check the official website first, and in the case of mobile applications, check if their website has the mobile version of this wallet and what the procedure is, but generally they redirect directly to the Play Store or App Store to download the app directly from there. You can also check if the supplier of the mobile version wallet is the same, a good example of this is that generally the App supplier of these stores has the same name as the wallet or the name of the wallet developer.