Hackers Spread BlackRock Malware through Fake Android Clubhouse App
Clubhouse is a new social media trend that is gaining popularity through it audio-chat rooms and has reached almost 13 million downloads. Researchers are now warning of a fake version of the audio chat app, which delivers malware that steals login credentials for more than 450 applications.
First released only months ago, the Clubhouse app is only available on Apple’s App Store, though an official Android version is currently being produced. The lack of official Android support has presented an opportunity to hackers who have created a fake Android version that purports to be real. To add legitimacy to the scam, the malicious app is hosted on a website purporting to be the real Clubhouse website, which researchers claim “looks like the real deal.”
It’s not known how this website is discovered by potential victims, but malware researchers believe that the website is most likely spread via social media or third-party websites like forums. The fraudulent website (joinclubhouse[.]mobi) looks identical to the real Clubhouse website (joinclubhouse.com) – both tell users that they can join with an invite from an existing user, with a call to action: “Sign up to see if you have friends on Clubhouse who can let you in.” While the real website points to users to download the app on the store, the fake site tells users to get the app on Google Play.
However, upon closer inspection the fake website has multiple red flags that could alert potential victims that something is off – such as the connection being HTTP rather than HTTPS, and the fact that the site uses the .mobi top-level domain (rather than the .com used by the legitimate domain).
If the victim should click on the button that purports to download the app, a trojan called BlackRock is installed on their system. This malware, discovered in July, is a variant of the LokiBot trojan that attacks not just financial and banking apps, but also a massive list of well-known and commonly used brand-name apps on Android devices. The malware is notorious for its ability to steal victims’ login information from over 450 online services.
The targeted list of app credentials includes well-known financial and shopping apps, cryptocurrency exchanges and social media and messaging apps – including Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, Coinbase, Plus500, Cash App, BBVA and Lloyds Bank.
The trojan swipes credentials using an overlay attack – which is a common type of attack for malicious Android apps. In this type of attack, the malware will create a data-stealing overlay of the application that the victim is navigating to, and request the user to log in. However, while the victim believes he is logging in, he is unwittingly handing over his credentials to the cybercriminals.
Android users can protect themselves by always sticking to official mobile app marketplaces to download apps to their devices, staying wary of the permissions they grant to applications and keeping their devices up to date via patching and otherwise.