Hackers are using a fake Clubhouse app to inject the BlackRock malware into as many Android devices as possible and are distributing the app on a lookalike website. The malware is capable of stealing online credentials and can bypass two-factor authentication by intercepting text messages.
Audio chat service Clubhouse’s popularity has attracted some bad actors keen on exploiting the enthusiasm of eager Android users. According to a new report, threat actors are disguising a new malware called BlackRock in a fake version of the Clubhouse app to steal user credentials associated with an astounding 458 online websites and services. The affected services include financial apps, shopping apps, cryptocurrency exchanges, social media sites, messaging services, and more.
Some of the popular services targeted by the BlackRock malware include Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, Coinbase, Plus500, Cash App, BBVA, and Lloyds Bank, among others.
BlackRock was recently discovered by ESET malware analyst Lukas StefankoOpens a new window . The malware was found hidden within a fake version of the invite-only social app and is being distributed over a bogus website called joinclubhouse.mobi, which mimics the actual web address of Clubhouse: joinclubhouse.com.
“The website looks like the real deal. To be frank, it is a well-executed copy of the legitimate Clubhouse website,†said Stefanko. “However, once the user clicks on ‘Get it on Google Play’, the app will be automatically downloaded onto the user’s device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short.â€
Opens a new window
Source: ESET
See Also: Rise of Digital Banking Poses New Security Risks to Mobile Apps
Once BlackRock infiltrates an Android device via the fake and malicious Clubhouse app, it executes an overlay attack, wherein each instance of running any of the 458 target apps prompts the user to log in. “Whenever the user launches one of the targeted applications, the malware will create a data-stealing overlay of the application and request the user to log in. Instead of logging in, the user unwittingly hands over their credentials to the cybercriminals,†ESET said.
BlackRock can steal login information and bypass two-factor authentication mechanisms by intercepting incoming text messages and their contents, which is usually a one-time password (OTP).
So how can one mitigate the threat? The key to defeating fraud is awareness. Here are some facts Android users should be aware of to keep their devices protected at all times:
- Clubhouse isn’t released for Android yet
- The fake app (with trojanized malware) is being distributed from a fake website and not through the Play Store
- Connection to the phony website is unsecured (refer to screenshot above) with HTTP instead of HTTPS
- The fake .apk installation package’s name is ‘Install,’ and not ‘Clubhouse’ as it should be
Android device users can also take the following steps to secure their personal data:
- Wait for an official launch from the legitimate Clubhouse vendor (joinclubhouse.com)
- Be aware of the legitimacy of this as well as other fake websites
- Use official app stores to install applications
- Keep track of permissions granted to installed apps
- Use software-based or hardware token OTP generators instead of SMS
Clubhouse was valued at $1 billion in January, up 90% since its Series A funding back in May last yearOpens a new window , and boasted 8.1 million usersOpens a new window , including Tesla CEO Elon Musk, in February. The app’s popularity skyrocketed in January after its $100 million Series B funding and support from popular tech personalities such as Musk and Facebook CEO Mark Zuckerberg.
Clubhouse ran into troubleOpens a new window in February when a user discovered they could stream audio feed from the app’s chatrooms to a third-party website, raising privacy concerns. Concerns also mounted when it came to light that Agora, a China-based company, handled the app’s backend operations.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!