The invitation-only audio chat app Clubhouse is tremendously popular at the moment which is why cybercriminals have created a fake Android version of the app in order to deliver malware capable of stealing user credentials from hundreds of online services.
The fake app was discovered by ESET malware researcher Lukas Stefanko on a website designed to mimic the look and feel of the legitimate Clubhouse site. While the company eventually plans to release an Android version, its app is currently only available on iOS.
The fake Android Clubhouse app doesn’t allow you to access the service and it also contains a trojan nicknamed “BlackRock” by ThreatFabric and detected by ESET as Android/TrojanDropper.Agent.HLR.
Stefanko provided further insight on the fake app’s first big red flag in a blog post, saying:
“The website looks like the real deal. To be frank, it is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on ‘Get it on Google Play’, the app will be automatically downloaded onto the user’s device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short.”
Fake Clubhouse app
The fake Clubhouse app being circulated online is able to steal victims’ login data from 458 different online services including well-known financial and shopping apps, cryptocurrency exchanges, social media services and messaging platforms. The BlackRock trojan included in the app can steal credentials from Twitter, WhatsApp, Facebook, Amazon, Netflix, Microsoft Outlook, eBay, Coinbase, Cash App, BBVA and Loyds Bank among other apps and online services.
Realizing the impostor Clubhouse website and app are fake isn’t that difficult though, especially if you know what to look for. For instance, the website uses the top-level domain (TLD) “.mobi” instead of “.com” and if a user does end up downloading the .apk file from the site, the name of the downloaded app is “Install” instead of “Clubhouse”.
Once a victim downloads and installs the fake app, the BlackRock trojan tries to harvest their credentials by using an overlay attack. In this kind of attack, whenever a user launches one of the targeted applications on their smartphone, the malware creates an overlay of the application and requests that they login. However, instead of logging into an app, the users is actually unwittingly handing over their credentials to the cybercriminals behind the campaign.
To make matters worse, even using SMS-based two-factor authentication won’t help victims as the malware also has the ability to intercept their text messages. The fake Clubhouse app also asks victims to enable accessibility services to give the attackers even more control over their devices.
While you may be tempted to download this fake Clubhouse app especially if you’re an Android user, it is strongly recommended that you wait for the company to release an official version and only install apps directly from the Google Play Store.