Fake Clubhouse Android App Aims to Steal Facebook, Twitter Login Details

Cybercriminals attempted to steal Android users' passwords using malware posing as the popular platform Clubhouse, researchers say.

In recent months, the legitimate audio chat room app attracted a wave of celebrity users including Facebook boss Mark Zuckerberg and SpaceX boss Elon Musk. It also remains invite-only, which means some social media users are willing to pay for access.

It has generated significant media headlines and currently has an air of exclusivity, so it's easy to see why Clubhouse was chosen as a lure by hackers.

The culprits of the campaign—whose identities are unknown—were trying to exploit the popularity of the brand to steal login credentials, according to malware researcher Lukas Stefanko of the Slovakia-based antivirus and security company ESET.

A trojan claiming to be an Android version of the platform was circulated via a site built to mirror the genuine version. If a victim clicked a button that read "Get it on Google Play" they would be delivered a sneaky type of malware nicknamed BlackRock.

Known as a trojan, the malware was programmed to pose as hundreds of social media, shopping, crypto and banking services. ESET said its known target list includes Twitter, WhatsApp, Facebook, Amazon, Netflix, eBay, Coinbase, Cash App and more.

Malicious web claiming to offer #Clubhouse for Android spreads banking trojan Blackrock. It lures credentials from 458 apps - financial, cryptocurrency exchanges & wallets, social, IM and shopping apps. There is currently no official Clubhouse app for Android. #ESETresearch 1/2 pic.twitter.com/azlxjvIgNO

— ESET research (@ESETresearch) March 16, 2021

As always with such campaigns, there were clear signs that something was amiss, such as it having an unsecure connection and different domain to the real site.

Another major red flag was the downloaded file asking for permissions would simply say "Install" and was not specifically labeled as being Clubhouse.

"While this demonstrates that the malware creator was probably too lazy to disguise the downloaded application properly, it could also mean that we may discover even more sophisticated copycats in the future," Stefanko said in a statement.

He continued: "The site looks like the real deal. To be frank, it is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on 'Get it on Google Play' the app will be automatically downloaded onto the user's device.

"By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short."

The BlackRock trojan uses what is known as an "overlay attack," which essentially aims to trick a user into entering their login details into a form made to look like the real apps. Instead of logging in, the details would instead be sent directly to the hackers.

ESET - fraudulent Clubhouse site
The difference in the URLs between the fraudulent (left) and legitimate (right) website. ESET

Perhaps the biggest red flag of all was that Clubhouse doesn't currently offer an Android app. For now, it's only available to be downloaded via Apple's App Store for iOS.

Clubhouse said in a January blog post it would be starting work on an Android version soon, but a release date still remains unknown. It has been contacted for comment. A warning on the hackers' website domain now contains a malware warning.

While it remains unclear how many people were affected, Stefanko told Newsweek on Friday the number was likely to be smaller due to the "Install" naming.

"Unfortunately there aren't any indicators that could help to enumerate the number of affected users, but in my opinion there probably were not many because of the name Install, not Clubhouse. It could have been more sophisticated than this," he said.

Tom Lysemose Hansen, chief technology officer at app security firm Promon, said it was a "classic case of malware" and mobile users need to be aware of online risks.

"It was only a matter of time before malicious actors capitalised on the growing demand for Clubhouse to release an Android app," he said. "Users... should never download an app from a third party; only ever download apps from the official Google Play Store."

An illustration photo taken on January 25, 2021, shows the application Clubhouse on a smartphone. ODD ANDERSEN/AFP/Getty Images