Fraudsters jump on Clubhouse hype to push malicious Android app

The BlackRock Trojan is lurking in the malicious, fake Android version of Clubhouse.
Written by Charlie Osborne, Contributing Writer

A new malicious app is making the rounds that pretends to be the sought-after Android version of Clubhouse. 

Clubhouse is an invitation-only audio chat app that allows users to listen in on conversations in real-time. Attention around the app exploded after Elon Musk tweeted about the app, but as a free service only currently available on iOS, Android device holders may be feeling somewhat left out. 

The startup is yet to launch an Android version of Clubhouse, but until then, fraudsters are hoping to fool users into downloading malicious software. 

On Friday, ESET disclosed the discovery of an Android app that is being served from a clone of the Clubhouse website. While thankfully not found to have slipped the security net on Google Play -- the official repository for Android applications -- researcher Lukas Stefanko said the website uses a "Get it on Google Play" button to try and fool visitors into believing the app is legitimate. 


If downloaded and executed, the malicious .APK deploys BlackRock, a banking Trojan capable of extensive data theft. 

Discovered in May 2020, the BlackRock Trojan was traced back to Xerxes and LokiBot, the former of which had its source code leaked online a year prior.  

"Xerxes' source code was leaked, no new malware based on, or using portions of, such code was observed," ThreatFabric said in an advisory last year. "BlackRock seems to be the only Android banking Trojan based on the source code of the Trojan at the moment."

The Trojan is capable of intercepting and tampering with SMS messages, hiding notifications, redirecting users to their device's home screen if they attempt to run antivirus software, and can be used to remotely lock screens. 

When it comes to information theft, BlackRock is not only able to steal device/OS information and text messages. Instead, ESET says the malware is equipped to steal content from no less than 458 online services.

When an unwitting victim opens the app service they want to access, an overlay attack is performed. This overlay will request the victim's credentials which, once submitted, are then whisked away to the malware's operator. 

Target services include Facebook, Amazon, Netflix, Twitter, Cash App, Lloyds Bank, and a variety of other financial, retail, and cryptocurrency exchange platforms. 

"Using SMS-based two-factor authentication (2FA) to help prevent anyone from infiltrating your accounts wouldn't necessarily help in this case, since the malware can also intercept text messages," ESET says. "The malicious app also asks the victim to enable accessibility services, effectively allowing the criminals to take control of the device."

While the use of a fake Google button may be a clever way to stop victims from realizing they are downloading a malicious .APK, navigating to the Google Play Store platform directly can mitigate the risk of being caught in this way. In addition, keeping device firmware up-to-date, monitoring the permissions you give to new apps, and using mobile antivirus software can help you stay protected.  

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards