Clubhouse is one of the most popular social applications. The invite-only audio social app completed one year this week closing in on 13 million downloads. Clubhouse is presently available on iOS with an Android version in works. A fake Clubhouse application for Android has been found on the Google Play Store, and it really contains the scandalous BlackRock malware.
This malicious app can get access to login credentials from more than 450 apps, and furthermore sidestep SMS-based two-factor confirmation, as indicated by a report by Irlenad-based ESET analyst Lukas Stefanko. This app looks exactly like the original Clubhouse app with the design and UI possible to fool anyone unaware. The app’s website description is the same as the iOS version with an option to “Get it on Google Play”. Once you tap on that button, the app automatically downloads on your phone. This is the biggest indicator itself as it should have actually taken you to the Google Play Store from where you would download the app.
ESET takes note of that there are more indicators of this being a false application, and these include the site using HTTP rather than HTTPS, and furthermore the domain name finishing off with .mobi and not .com.
The application contains the BlackRock trojan that is infamous for stealing users credentials. When the malware is installed on the phone, and some other susceptible app is launched it will use an overlay attack to steal the user credentials. Some of the popular apps that can be hacked include Twitter, WhatsApp, Facebook, Amazon, and Netflix.
There’s presently no Android version of the Clubhouse application. There is one in progress, and when it’s launched it will be free on the Google Play Store. Thinking about Clubhouse’s popularity or any new app for that matter, clone applications that can be possibly dangerous usually show up.