The new audio-centric Clubhouse app is the latest social network that everyone is buzzing about, with the new app’s cachet having risen so precipitously that it’s attracted participation from big tech industry names like Bill Gates and Elon Musk — while Facebook is going so far as to try to cobble together its own knock-off version of the service to blunt its growth. Heck, Facebook CEO Mark Zuckerberg himself has even put in an appearance during one of the Clubhouse “shows,” which are essentially these audio-only gatherings that include a host and guests who are allowed a pretty open filter to say what they want, while you, the audience, can listen in real time.
And here’s one of the most important details to note right now about Clubhouse: At the time of this writing, the Clubhouse app is still iOS-only. During the most recent Clubhouse “Townhall” event over the weekend, Clubhouse co-founder Paul Davison said that an Android app launch for Clubhouse is at least a “couple of months” away, now that the company has hired an Android software developer. In the interim, however, hackers are trying to take advantage of the fact that people are anxious for an Android version of Clubhouse to arrive.
Indeed, according to antivirus provider ESET, cybercriminals are attempting to take advantage of Clubhouse’s popularity to trick people into falling for a malware scheme.
ESET malware researcher Lukas Stefanko found a Trojan program on a fake Clubhouse website (at “joinclubhouse[.]mobi”) that looks identical to the real thing, but for the obvious giveaway — that it claims to offer an Android version of the Clubhouse app from the Google Play Store, which, again, does not exist yet. Per Stefanko’s analysis, if you download this particular faux Clubhouse app, the Trojan program will start working to try and steal your login credentials from more than 450 apps and services like social media sites, in addition to bypassing SMS-based two-factor authentication.
Malicious web claiming to offer #Clubhouse for Android spreads banking trojan Blackrock. It lures credentials from 458 apps – financial, cryptocurrency exchanges & wallets, social, IM and shopping apps. There is currently no official Clubhouse app for Android. #ESETresearch 1/2 pic.twitter.com/azlxjvIgNO
— ESET research (@ESETresearch) March 16, 2021
The “BlackRock” Trojan actually targets at least 458 online services, including shopping apps, cryptocurrency exchanges, and popular services that include Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, Coinbase, and the Cash app, to name a few.
“The website looks like the real deal,” Stefanko says. “To be frank, it is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on ‘Get it on Google Play’, the app will be automatically downloaded onto the user’s device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short.”
Other red-flags to be aware of, besides the most obvious one (that Clubhouse itself has said an Android version is still months away), Stefanko adds that you can see something is not right by noting that the connection is not shown as HTTPS once the user taps the fake “Get it on Google Play” option. Also, the site uses the top-level domain “.mobi” rather than the “.com” used by the actual app. So, again, beware of schemes like these to capitalize on the app’s popularity — and take advantage of unsuspecting users.