Clubhouse, a popular invite-only audio chat app, ran into severe security issues after threat actors allegedly misused the app’s popularity. Security experts recently found cybercriminals distributing a malicious app mimicking the Android version of Clubhouse. The Clubhouse platform is only available to iOS users. The company is planning to launch the Android version of its app soon.
According to researchers from ESET, the fake malicious app aims to steal users’ login information for a variety of online services. Dubbed as “BlackRock”, the app is delivered from a phishing website which is an imposter of the genuine Clubhouse website.
Once downloaded, the BlackRock targets various apps on the victims’ devices including financial and e-commerce apps, cryptocurrency exchanges, social media, and messaging platforms along with popular mobile applications like Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, Coinbase, Plus500, Cash App, BBVA, and Lloyds Bank.
Malicious web claiming to offer #Clubhouse for Android spreads banking trojan Blackrock. It lures credentials from 458 apps – financial, cryptocurrency exchanges & wallets, social, IM and shopping apps. There is currently no official Clubhouse app for Android. #ESETresearch 1/2 pic.twitter.com/azlxjvIgNO
— ESET research (@ESETresearch) March 16, 2021
“The website looks like the real deal. To be frank, it is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on ‘Get it on Google Play, the app will be automatically downloaded onto the user’s device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit or APK for short,” the researchers said.
How to protect against malicious apps?
ESET researchers recommended certain security measures to find out malicious apps and boost mobile security. These include:
- Use only the official stores to download apps to your devices
- Be wary of what kinds of permissions you grant to applications
- Keep your device up to date, ideally by setting it to patch and update automatically
- If possible, use software-based or hardware token one-time password (OTP) generators instead of SMS
- Before downloading an app, do some research on the developer and the app’s ratings and user reviews
- Use a reputable mobile security solution