No, you haven't been invited to join Clubhouse - it's an Android trojan

Clubhouse
(Image credit: Clubhouse)

The invitation-only audio chat app Clubhouse (opens in new tab) is tremendously popular at the moment which is why cybercriminals have created a fake Android version of the app in order to deliver malware (opens in new tab) capable of stealing user credentials from hundreds of online services.

The fake app was discovered by ESET (opens in new tab) malware researcher Lukas Stefanko on a website designed to mimic the look and feel of the legitimate Clubhouse site. While the company eventually plans to release an Android version (opens in new tab), its app is currently only available on iOS.

The fake Android Clubhouse app doesn't allow you to access the service and it also contains a trojan nicknamed  “BlackRock” by ThreatFabric (opens in new tab) and detected by ESET as Android/TrojanDropper.Agent.HLR.

Stefanko provided further insight on the fake app's first big red flag in a blog post (opens in new tab), saying:

“The website looks like the real deal. To be frank, it is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on ‘Get it on Google Play’, the app will be automatically downloaded onto the user’s device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short.”

Fake Clubhouse app

The fake Clubhouse app being circulated online is able to steal victims' login data from 458 different online services including well-known financial and shopping apps, cryptocurrency exchanges (opens in new tab), social media services and messaging platforms. The BlackRock trojan included in the app can steal credentials from Twitter, WhatsApp, Facebook, Amazon, Netflix, Microsoft Outlook, eBay, Coinbase, Cash App, BBVA and Loyds Bank among other apps and online services.

Realizing the impostor Clubhouse website and app are fake isn't that difficult though, especially if you know what to look for. For instance, the website uses the top-level domain (TLD (opens in new tab)) “.mobi” instead of “.com” and if a user does end up downloading the .apk file from the site, the name of the downloaded app is “Install” instead of “Clubhouse”.

Once a victim downloads and installs the fake app, the BlackRock trojan tries to harvest their credentials by using an overlay attack (opens in new tab). In this kind of attack, whenever a user launches one of the targeted applications on their smartphone, the malware creates an overlay of the application and requests that they login. However, instead of logging into an app, the users is actually unwittingly handing over their credentials to the cybercriminals behind the campaign.

To make matters worse, even using SMS-based two-factor authentication (opens in new tab) won't help victims as the malware also has the ability to intercept their text messages. The fake Clubhouse app also asks victims to enable accessibility services to give the attackers even more control over their devices.

While you may be tempted to download this fake Clubhouse app especially if you're an Android user, it is strongly recommended that you wait for the company to release an official version and only install apps directly from the Google Play Store (opens in new tab).

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.