Audio-based social app Clubhouse has attracted headlines and big venture capital rounds, but the service still is available only for Apple Inc.’s iOS devices. Android users have been keen to check the service out, though, and that’s exactly what some scammers are taking advantage of with fake Clubhouse Android apps.

A newly discovered fake Clubhouse Android detailed late last week by researchers at ESET spol s.r.o. was found to include a malicious package aimed at stealing users’ login information from a variety of online services. The fake Clubhouse app for Android includes a Trojan virus dubbed “BlackRock” and can steal data from no fewer than 458 online services.

The targeted services include financial and shopping apps, cryptocurrency exchanges, social media services and messaging platforms. Notable targets include Twitter Inc., WhatsApp, Facebook Inc., Amazon.com Inc., Netflix Inc., Microsoft Corp.’s Outlook, eBay Inc., Coinbase Inc. and Cash App.

The app is being distributed through a fake website described as looking like the “real deal” and a well-executed copy of the legitimate Clubhouse website. Differing from an official distribution, the site prompts visitors to download the app directly instead of through Google Play.

The ability to steal account details is bad enough, but the BlackRock Trojan also can intercept text messages. This means that even users using two-factor authentication to prevent anyone from infiltrating their accounts would be exposed to account theft as well.

“One of the problems when creating exclusive online experiences is that they become popular and everyone wants in,” Tim Mackey, principal security strategist at electronic design automation firm Synopsys Inc.’s Cybersecurity Research Center, told SiliconANGLE. “When the online experience comes from a specific app and there isn’t a version for both Apple and Android operating systems, then such a gap is an inviting target for criminals to exploit.”

Chris Clements, vice president of solutions architecture at information technology service management company Cerberus Cyber Sentinel Corp., noted that cybercriminals will exploit any opportunity to compromise their victims and the launch of a popular new app not yet available on a major platform like Android presents them with a major opportunity.

“The BlackRock trojan is one of the meaner pieces of mobile malware- it’s almost easier to list the accounts it doesn’t steal,” Clements said. “Combined with having near-complete control over the mobile device if granted Accessibility Service privileges, this can be devastating to victims whose phones are increasingly the central computing device in their life.”

The ultimate solution here to prevent scammers and malware operators from targeting Android users is for Clubhouse to offer an Android app. That app may be sometime off, however, with Clubhouse only hiring an Android software developer Feb. 22.

Clubhouse also suffered a security breach in February when a third-party developer designed an open-source app that allowed Android users to access Clubhouse, though it didn’t contain malware.

Image: Clubhouse