Posted on March 22, 2021 at 11:11 AM
Security researchers have warned about scammers taking advantage of the audio chat app Clubhouse and delivering malware through fake Android versions of the app. According to reports, the malware steals login details for more than 450 apps.
Clubhouse has gained prominence over the past few months, as more participants started using its audio-chat rooms to discuss anything from relationships to politics. The app was launched only last year, but it has been downloaded almost 13 million times, making it one of the fastest-rising chat apps.
However, the app is only available for download on the mobile application marketplace of Apple’s App Store. It doesn’t have an android version yet.
But cybercriminals are taking advantage of this unavailability to deceive Android users and plant malware on their devices. The criminals have created a fake android app for Clubhouse and deliver the app through a fake Clubhouse app they created for such purpose.
Lukas Stefanko, a security researcher at cybersecurity firm ESET, stated that the website created by the scammers has a resemblance with the original Clubhouse website, which makes it more convincing to android users. “To be frank, it is a well-executed copy of the legitimate Clubhouse website,” Stefanko said.
The bogus Clubhouse app for android has a Trojan virus called “BlackRock”, which steals information from android users who fall victim to the scam.
The targeted services include messaging platforms, social media services, cryptocurrency exchanges, shopping, and financial apps.
The malicious website also directs users to download the app directly from the site rather than going through Google Play. For an Android app, some users got skeptical since the website doesn’t have any option to download through Google Play like other android apps.
An invitation for criminals
Cybercriminals usually target online experiences that become popular. But one issue with creating an online experience is failing to provide the experience in both the Apple and android version. When the experience goes viral on one version, those with the other version will be eager to have such an experience.
This leaves a window of opportunity for cybercriminals who may want to exploit users by providing a fake version. According to Tim Mackey, principal security strategist at Synopsys, that is exactly what happened in this recent incident.
It’s not clear how potential victims get to know this website, but Stefanko pointed out that the site is probably spread through third-party sites, forums, or social media.
The Site has a button where victims are directed to download the app. When they click on the button, the BlackRock Trojan is installed on their system. The Trojan was discovered in July last year. It’s a form of the LokiBot Trojan that attacks the financial system as well as some popular apps on Android devices.
The malware targets major apps on the victim’s device
The targeted list of apps the malware can infect on devices include Lloyds Bank, BBVA, Cash App, Plus500, Coinbase, eBay, Outlook, Netflix, Amazon, WhatsApp, as well as Twitter.
The Trojan uses an overlay attack to swipe credentials. It’s one of the most common attack methods for malicious Android apps. Generally, the malware creates a data-stealing overlay of the app the victim wants to use and asks the user to log in.
But while logging in, the victim is unknowingly revealing his logging details to the cybercriminal.
The malicious app also requests that the victim allows accessibility services on the phone for granting permission without the victim’s knowledge.
Malware is capable of abusing 2-factor authentication
These permissions, once granted, allow the malware to have access to SMS messages, cameras, contacts, and other areas.
If the criminals can access the SMS messages, it may also grant them access to the SMS-based two-factor authentication, which they can use for further infiltrations and attacks. They can circumvent the 2FA protections on the user’s Android phone for any app that sends the 2FA codes on the phone.
Instead of using “Clubhouse” as its name, the app uses the word “install”, which is a good indication that it is malicious. However, the worry is the fact that the malware developers could come up with more sophisticated malware in the future, which may be very difficult to detect.