Clubhouse is an invitation-only audio chat app. At this time, the social media is the hype, with lots of people jumping into the bandwagon.
Knowing this fact, malicious actors are making use of the situation, by piggybacking the app's massive popularity, which experienced a huge surge following Elon Musk's tweet about it.
Since Clubhouse is at this time, exclusive to users on iOS, some malicious actors created a malicious Android app, hoping to lure in and trap unsuspecting victims who may be feeling somewhat left out from their iOS counterparts.
Discovered by ESET Research, this malicious Android app is being served from a clone of the legitimate Clubhouse website.
Fortunately, the app didn't manage to slip through to the official Google Play Store. But the malicious actors attempted to trick unsuspecting visitors of the website, by using the 'Get it on Google Play' button, hoping to fool visitors into believing that the app is legitimate.
Read: Clubhouse, The Craze, And 1 Year A Unicorn While Still In Beta
If the app is downloaded and executed, the .apk file will start by deploying the BlackRock malware, which is a banking trojan capable of extensive data theft.
First discovered in May 2020, BlackRock Trojan can be traced back to Xerxes and LokiBot, the former of which had its source code leaked online a year prior.
"Xerxes' source code was leaked, no new malware based on, or using portions of, such code was observed," ThreatFabric said in its blog post. "BlackRock seems to be the only Android banking Trojan based on the source code of the Trojan at the moment."
The Trojan is capable of intercepting and tampering with SMS messages, hiding notifications, redirecting users to their device's home screen if they attempt to run antivirus software, and can be used to remotely lock screens.
BlackRock is also smart, as it can redirect victims to the home screen of the device, whenever they try or start antivirus apps.
A specific list of antivirus apps that BlackRock can anticipate, include Avast, AVG, Bitdefender, ESET, Symantec, Trend Micro, Kaspersky, McAfee, and Avira. What's more, utility apps designed to clean Android devices, like TotalCommander, SD Maid or Superb Cleaner, are also rendered useless.
Read: 'BlackRock' Is A Sneaky Malware That Steals Data From Hundreds Of Android Apps
Malicious web claiming to offer #Clubhouse for Android spreads banking trojan Blackrock. It lures credentials from 458 apps - financial, cryptocurrency exchanges & wallets, social, IM and shopping apps. There is currently no official Clubhouse app for Android. #ESETresearch 1/2 pic.twitter.com/azlxjvIgNO
— ESET research (@ESETresearch) March 16, 2021
BlackRock is capable of:
- Overlaying.
- Keylogging.
- SMS harvesting: SMS listing and SMS forwarding.
- Device information collection.
- SMS sending.
- Remote actions for screen-locking.
- Self-protection to hide its app icons and preventing removal.
- Notifications collection.
- Grant permissions.
- Antivirus detection.
BlackRock's more alarming capability, is its way of harvesting users' account credentials.
Using a method known as “overlays”, the malware can put its own version of a login page to encourage users into to revealing sensitive information, such as username and password, and credit card information.
The malware can do this on 226 apps, including on Gmail, Google Play, Hotmail, Instagram, Microsoft Outlook, PayPal, Uber and many more.
What's more, the malware can also steal credit card numbers from an additional 111 apps, including Facebook, Facebook Messenger, Instagram, Pinterest, PlayStation, Reddit, Skype, Snapchat, Telegram, TikTok, Tinder, Twitter, WhatsApp, YouTube and many more.
And in this malicious Clubhouse for Android app, the fraudsters in using a fake Google button is their way to stop victims from ever thinking that they are downloading a malicious app.
Shortly after ESET's finding, Google also blocks the site from being accessed in major browsers through its Google Safe Browsing.