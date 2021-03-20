Clubhouse icon seen on a smartphone screen (Image: AP Photo/Mark Schiefelbein)

Audio-based social networking platform Clubhouse, which has gained immense popularity in the last few weeks, is currently limited only to iOS devices. Although it will soon be expanding to Android smartphones also, the Clubhouse app currently available on Google Play Store is fake and it is reportedly injecting malware that is stealing user data.

The imposter Clubhouse application for Android contains a trojan that has been nicknamed “BlackRock”. The malware was spotted by Ireland-based ESET researcher Lukas Stefanko, who has said in a blog post that BlackRock gains unauthorised login credentials from over 450 applications and is also capable of bypassing SMS-based two-factor authentication.

Stefanko said: “The malicious package is served from a website that has the look and feel of the genuine Clubhouse website. The Android/TrojanDropper.Agent.HLR can steal victims’ login data for no fewer than 458 online services.”

He added: “The target list includes well-known financial and shopping apps, cryptocurrency exchanges, as well as social media and messaging platforms. For starters, Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, Coinbase, Plus500, Cash App, BBVA, and Lloyds Bank are all on the list.”

As soon as a user launches one of the above-mentioned applications, the BlackRock malware creates a “data-stealing overlay of the application and request the user to log in.”

How to identify the fake app?

Stefanko says: “The website looks like the real deal. To be frank, it is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on ‘Get it on Google Play’, the app will be automatically downloaded onto the user’s device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short.”

Besides, the URL of the fake Clubhouse app uses “.mobi” top-level domain instead of “.com”.