People seem to always want things they can’t have. It can be a dangerous way of thinking and can lead to unintended consequences. The latest example is the invite-only social media site Clubhouse. Tap or click here to see what Clubhouse is.
The audio chat application has steadily been rising in popularity because not everybody who wants it has it. This creates an unrealistic drive to acquire access, and in some cases, people have been swindled out of money in pursuit of it.
Fairly unknown until Elon Musk tweeted about it, Clubhouse is only available on iOS for now. There are plans to release an Android version, which has spurred scammers to target those who want access at whatever cost.
Here’s the backstory
Invitation-only is a very effective way to create intrigue. It takes a page from basic economics and turns it into a must-have among those who don’t have access. Cybercriminals are using this to trick people into downloading a fake version of Clubhouse.
The app is officially only available for iOS devices, but scammers have set up a bogus website where you can download an imposter Android version. To be clear, there is no Android version (yet), but the website has been made to look very authentic.
The site is similar to the real Clubhouse page, so it’s easy for people not to recognize that it’s completely fake. But instead of having the button for the iOS download, it has been replaced with a “Get it on Google Play” button.
Malicious web claiming to offer #Clubhouse for Android spreads banking trojan Blackrock. It lures credentials from 458 apps – financial, cryptocurrency exchanges & wallets, social, IM and shopping apps. There is currently no official Clubhouse app for Android. #ESETresearch 1/2 pic.twitter.com/azlxjvIgNO— ESET research (@ESETresearch) March 16, 2021
Here’s why it’s dangerous
In addition to there being no official Android app, cybersecurity company ESET did some digging into the app’s code. They found the hallmarks of malicious code, and when it’s installed on your phone, it can steal your banking info.
“The Trojan – nicknamed ‘BlackRock’ by ThreatFabric and detected by ESET products as Android/TrojanDropper.Agent.HLR – can steal victims’ login data for no fewer than 458 online services,” ESET’s Amer Owaida wrote in a blog post.
Here are some of the services the malicious app can steal information from:
- Cash App
- Lloyds Bank
What can you do about it?
The first step in verifying an app for your mobile phone is downloading it from official app stores. If a website or an email directs you somewhere else to download the app, proceed with extreme caution.
That makes this situation especially tricky. Since criminals are spoofing a link to the Google Play Store, victims think it’s a legitimate app. The best way to avoid this scam is to go to the Google Play Store directly, without following a link and searching for apps that you’re interested in downloading.
“It is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on ‘Get it on Google Play,’ the app will be automatically downloaded onto the user’s device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit or APK,” explained SET malware researcher Lukas Stefanko.
Here are some tips to keep malicious apps from stealing your banking info:
- Only download apps from official app stores.
- Be aware of the permissions that an app requests, and revoke permissions where necessary.
- Make sure that your device is up to date with the latest patches and firmware.
- It is always a good idea to enable two-factor authentication when available.
Don’t make this mistake using 2FA – Your texts could be hijacked
Seven essential Android security settings: 2FA, spot shady apps, stop location tracking