Clubhouse, an invitation-only audio chat app, is now incredibly popular, which is why cybercriminals created a fake Android version of the app to deliver malware that could steal user credentials from hundreds of online services.
The fake app was found on a website designed by ESET malware researcher Lukas Stefanko to mimic the look and feel of a legitimate Clubhouse site. The company plans to eventually release an Android version, but the app is currently only available on iOS.
The fake Android Clubhouse app does not allow access to the service, it also includes a Trojan horse nicknamed “BlackRock” by ThreatFabric and detected by ESET as Android/TrojanDropper.Agent.HLR.
Stefanko provided additional insights into the first big danger signs of fake apps in a blog post.
“The website looks like a real deal. To be honest, it’s a well-executed copy of a legitimate clubhouse website. However, when the user clicks’Download from Google Play’, the app is automatically downloaded to the user’s device. Conversely, legitimate websites don’t download Android package kits or simply APKs directly, they always redirect users to Google Play. “
Fake clubhouse app
Fake clubhouse apps circulating online can steal victims’ login data from 458 other online services, including well-known financial and shopping apps, cryptocurrency exchanges, social media services and messaging platforms. The BlackRock Trojan included in the app can steal your credentials from Twitter, WhatsApp, Facebook, Amazon, Netflix, Microsoft Outlook, eBay, Coinbase, Cash App, BBVA and Loyds Bank, among other apps and online services.
It’s not hard to realize that the scammer Clubhouse website and app are fake. Especially if you know what to look for. For example, a website uses the top-level domain (TLD) “.mobi” instead of “.com”, and when a user downloads an .apk file from the site, the downloaded app is named “Install”. Instead of “club house”.
When a victim downloads and installs a bogus app, the BlackRock Trojan attempts to collect credentials using an overlay attack. In this kind of attack, whenever a user launches one of the target applications on their smartphone, the malware creates an overlay of the application and requests a login. However, instead of logging into the app, users are actually subconsciously handing over their credentials to the cybercriminals behind the campaign.
To make matters worse, even with SMS-based two-factor authentication, malicious code can intercept text messages, so it won’t help victims. The fake clubhouse app also asks victims to enable accessibility services to give attackers better control over their devices.
Especially if you are an Android user, you may want to download this fake Clubhouse app, but we recommend that you wait for the company to release an official version and then install only the app directly from the Google Play store.