Researchers at IT security firm ESET have discovered that cyber criminals have made a fake new android application of the popular invite-only audio chat app Clubhouse and are using it to spread the BlackRock malware to millions of Android device users.
As of now, the Clubhouse mobile application is only available on Apple's iOS operating system. However, cyber criminals have designed a fake Android version that contains malware and can be used for stealing credentials.
In a blog post, the security firm said that the fake Android version of the Clubhouse application was identified by security researcher Lukas Stefanko on a website that has the look and feel of the genuine Clubhouse website. The fake Android application contains a malware trojan named “BlackRock” that can perform a number of malicious activities.
Once deployed, BlackRock can steal credentials for hundreds of online services, including several popular ones. These include well-known financial and shopping apps, cryptocurrency exchanges, social media and messaging platforms like Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, Coinbase, Plus500, Cash App, BBVA, and Lloyds Bank.
“The trojan – nicknamed “BlackRock” by ThreatFabric and detected by ESET as Android/TrojanDropper.Agent.HLR – can steal victims’ login data for no fewer than 458 online services,” ESET said.
According to Stefanko, the fake website, which is used by hackers to distribute the fake Clubhouse app, mimics the Clubhouse website and once any user clicks on the ‘Get it on Google Play' link, the app will be automatically downloaded onto the user’s device, whereas in case of a legitimate website, users will always be redirected to the Google Play Store, rather than directly downloading an Android Package Kit.
“Even before tapping the button, there are signs that something is amiss, such as the connection not being secure (HTTP instead of HTTPS) or that the site uses the “.mobi” top-level domain (TLD), rather than “.com” used by the legitimate app. Another red flag should be that even though Clubhouse is indeed planning to launch the Android version of its app soon, the platform is at present still available only for iPhones,” ESET said.
Once the BlackRock Trojan is installed, it tries to steal credentials using an overlay attack. Whenever a user launches the fake app after downloading it, the malware asks the user to log in to online services, and captures the user's credentials when they are entered. Furthermore, SMS-based two-factor authentication will also not help the user as BlackRock has the ability to intercept text messages as well.
Commenting on the discovery of the fake Clubhouse app, Sam Bakken, Senior Product Marketing Manager at OneSpan, said that “it's important for consumers to default to only downloading mobile apps from official app stores, but even then there's risk. If you're excited about the availability of a new app, chances are you are not alone. Criminals are very good at taking advantage of our anticipation, it's a human vulnerability ripe for exploit.”
“If you're excited about Clubhouse (and others) and surprised by its sudden availability, be careful not to let your guard down. I personally try to avoid clicking any "Get it on Google Play" or "Download on the App Store" links and instead, opt searching for those stores directly. This incident highlights the need for three things.
“First, it's time for all financial services apps to integrate biometric authentication. The overlay attacks that steal static usernames and passwords are only becoming easier for criminals to execute. Biometric authentication gives users a way to protect themselves.
“Second, this mobile banking Trojan has SMS-grabbing capabilities and at this point, I view authentication codes sent via SMS as security threat. Third, time and time again we see evidence that attackers are working hard to cheat mobile banking users.
“Banks can take additional steps to protect their users against overlay attacks and other mobile vulnerabilities and exploits with app shielding, an advanced mobile app security that travels with the banking app to protect the institution and their users against mobile banking threats similar to this one,” he added.