Phishing software "wollix" in Snap Store

Hello forum!

Recently, I purchased a hardware wallet from Ledger (https://www.ledger.com) to manage my crypto assets.

To set up the wallet, I installed the package “wollix” from the official Snap Store (see attached screenshot). During the wallet setup, this application was not helpful at all, as it apparently does not work and does not connect to the wallet. What this application does do very well, however, is harvest the recovery phrase if one is careless enough — as I unfortunately was — to enter it.

After a short time, two crypto assets were stolen from my wallet. The app is no longer available in the Snap Store.

Since I had this software installed on my computer, I am concerned about whether this application has additional unwanted or malicious functionality. Does it log keystrokes or monitor the clipboard? Does it scan the file system?

Do you have any advice for me?

I am using Ubuntu 22.04.5 LTS and 24.04.3 LTS — wollix was installed on both systems.

Looks like this is not the first time: Phishing app on the snap store -- is my computer compromised?

AppStore1252×852 164 KB

The only way to know what a snapped application does is to reverse-engineer it. One way to assess its risk, however, is to check the confinement interface connections(e.g. Permissions in layman terms as showed in the software center screenshot you’ve posted) available at the moment.

Click the Permissions button at the right to find out which permissions are currently active, and see Supported interfaces | Snapcraft documentation for the information on what resources does these permissions grant access to the snapped application. Yes, these information is snap packager-oriented so it might be difficult to understand, in this case simply ask in the forum for help.

If you have the ability to run terminal commands the following command will list the interface connections in the original naming which will be easier to lookup:

snap connections wollix

You should then make a copy of the malicious snap for future analysis by running the following commands:

mkdir malicious-snap-samples
cp /var/lib/snapd/snaps/wollix*.snap malicious-snap-samples

Then remove snap immediately from the system by removing them from the software center or by running the following command:

snap remove wollix

If you are unable to assess the exposure, consider the entire system exposed and mitigate that instead.

@fearfin I am a community member with an interest in store malware.

If you still have this installed, please send the output of snap info ThePackageName for that package, and send the output of snap connections ThePackageName as recommended by @Lin-Buo-Ren .

If you have the snap file(s) itself on your computer(s) (look in /var/lib/snapd/snaps/)please could you send those to me privately. There are a few of us who would be interested to inspect the snap.

I would be grateful if you would send me the transaction information for the transfer of assets, if you are comfortable doing so.

I’ve only just noticed that this app is called wollix on Ubuntu 24.04.3 LTS. On Ubuntu 22.04.5 LTS, the app was called b7777. Does that make sense? Either way, on Ubuntu 24 I have already removed the app via the command line. On Ubuntu 22, I switched the permission to just play sounds.

snap info ThePackageName says:

name: b7777

summary: crypto wallet

publisher: Snap Quarantine

license: unset

description: | Ledger Live: Your All-in-One Digital Ecosystem Easily organize and interact with the services and items that matter to you—all in one place with Ledger Live. Designed for individuals who value independence and full oversight, Ledger Live provides a streamlined environment to manage your tools, monitor performance, and explore new possibilities with confidence. With Ledger Live, you are always in the driver’s seat of your digital assets.

A protected Ledger Live environment, designed for peace of mind Your information within Ledger Live is safeguarded by advanced protection systems constantly updated to defend against modern cyber threats. Every action you take inside Ledger Live is clearly communicated, helping you stay in full control while maintaining a secure operating space within the Ledger Live interface.

Total Ledger Live overview, crystal-clear insights Access a powerful Ledger Live dashboard that unifies everything you care about—all visible at a glance. Track real-time changes in the services you follow through Ledger Live, discover new options tailored to your needs, and seamlessly organize your digital world without ever leaving the Ledger Live app.

Flexibility with no boundaries in Ledger Live Use third-party features within Ledger Live only when you want them. Ledger Live allows you to choose providers, compare offerings, and access a wide ecosystem of tools—without giving up the freedom to decide exactly how you engage with Ledger Live.

Expand your Ledger Live capabilities Browse a variety of add-ons, experiences, and integrations available through Ledger Live. Personalize your Ledger Live setup, unlock useful functions, and explore innovative features designed to adapt Ledger Live to your specific lifestyle.

Beautiful organization of your personal Ledger Live collection Store, categorize, and showcase your unique digital items in a clean and modern Ledger Live viewer. Keep everything structured within Ledger Live and ready for quick access, whether for personal enjoyment or safe record-keeping inside your Ledger Live account.

Ledger Live is designed for every device you use Ledger Live syncs seamlessly with companion hardware and mobile platforms for an intuitive Ledger Live experience wherever you go—at home, at work, or on the move with Ledger Live. commands:

b7777

snap-id: n2fG208EJCbF5AOzgykxbJiAmEnXdhGZ

tracking: latest/stable

refresh-date: 2025-11-20

installed: 1.0.1 (1) 291MB -

snap connections ThePackageName says:

audio-playback b7777:audio-playback :audio-playback -

browser-support b7777:browser-support - -

content[gnome-3-28-1804] b7777:gnome-3-28-1804 gnome-3-28-1804:gnome-3-28-1804 -

content[gtk-3-themes] b7777:gtk-3-themes gtk-common-themes:gtk-3-themes -

content[icon-themes] b7777:icon-themes gtk-common-themes:icon-themes -

content[sound-themes] b7777:sound-themes gtk-common-themes:sound-themes -

desktop b7777:desktop :desktop -

desktop-legacy b7777:desktop-legacy :desktop-legacy -

gsettings b7777:gsettings - -

home b7777:home - -

network b7777:network - -

opengl b7777:opengl - -

pulseaudio b7777:pulseaudio - -

unity7 b7777:unity7 :unity7 -

wayland b7777:wayland :wayland -

x11 b7777:x11 :x11

I’ll send the snap file and the two transactions via PM.

Thanks in advance!

Here’s the list of interfaces: Supported interfaces | Snapcraft documentation

Even though network access was granted, the home interface shouldn’t allow the snap to read your home directory without first being manually connected. The snap should not have been able to write to your home directory (or anywhere else).

These crypto-wallet malware packages all focus on stealing the funds from unsuspecting users. I haven’t seen evidence of data exfiltration thusfar.

I hope this is of some consolation

This is an account used by the store team to release empty versions of snaps that have been taken down (so they replace the malicious binaries on your disk in case you had the actual snap installed), according to this whatever you have installed right now should actually be harmless …

Hi there! In Ubuntu 22 the package was exchanged by the update process - that’s a nice mechanic by the way In Ubuntu 24 I already removed the package with –purge. The only thing left is a json file with following content:

{“sequence”:[{“name”:“wollix”,“snap-id”:“l73SCiLANeFBkzp2fK3vD5fegQs0vHmo”,“revision”:“2”,“channel”:“stable”,“title”:“LedgerLive”,“summary”:“Ledgers Live”,“description”:“LedgerLive: The secure and user-friendly platform for managing your assets. Buy, sell, trade, and store your digital assets with ease”}],“current”:“2”,“migrated-hidden”:false,“migrated-exposed-home”:false}