UPDATED 22:36 EDT / MARCH 21 2021

SECURITY

Scammers trick Android users into installing fake, malware-laden Clubhouse app

Audio-based social app Clubhouse has attracted headlines and big venture capital rounds, but the service still is available only for Apple Inc.’s iOS devices. Android users have been keen to check the service out, though, and that’s exactly what some scammers are taking advantage of with fake Clubhouse Android apps.

A newly discovered fake Clubhouse Android detailed late last week by researchers at ESET spol s.r.o. was found to include a malicious package aimed at stealing users’ login information from a variety of online services. The fake Clubhouse app for Android includes a Trojan virus dubbed “BlackRock” and can steal data from no fewer than 458 online services.

The targeted services include financial and shopping apps, cryptocurrency exchanges, social media services and messaging platforms. Notable targets include Twitter Inc., WhatsApp, Facebook Inc., Amazon.com Inc., Netflix Inc., Microsoft Corp.’s Outlook, eBay Inc., Coinbase Inc. and Cash App.

The app is being distributed through a fake website described as looking like the “real deal” and a well-executed copy of the legitimate Clubhouse website. Differing from an official distribution, the site prompts visitors to download the app directly instead of through Google Play.

The ability to steal account details is bad enough, but the BlackRock Trojan also can intercept text messages. This means that even users using two-factor authentication to prevent anyone from infiltrating their accounts would be exposed to account theft as well.

“One of the problems when creating exclusive online experiences is that they become popular and everyone wants in,” Tim Mackey, principal security strategist at electronic design automation firm Synopsys Inc.’s Cybersecurity Research Center, told SiliconANGLE. “When the online experience comes from a specific app and there isn’t a version for both Apple and Android operating systems, then such a gap is an inviting target for criminals to exploit.”

Chris Clements, vice president of solutions architecture at information technology service management company Cerberus Cyber Sentinel Corp., noted that cybercriminals will exploit any opportunity to compromise their victims and the launch of a popular new app not yet available on a major platform like Android presents them with a major opportunity.

“The BlackRock trojan is one of the meaner pieces of mobile malware- it’s almost easier to list the accounts it doesn’t steal,” Clements said. “Combined with having near-complete control over the mobile device if granted Accessibility Service privileges, this can be devastating to victims whose phones are increasingly the central computing device in their life.”

The ultimate solution here to prevent scammers and malware operators from targeting Android users is for Clubhouse to offer an Android app. That app may be sometime off, however, with Clubhouse only hiring an Android software developer Feb. 22.

Clubhouse also suffered a security breach in February when a third-party developer designed an open-source app that allowed Android users to access Clubhouse, though it didn’t contain malware.

Image: Clubhouse

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.