Android users need to stay on alert and not download a bogus, official-looking app that could seriously cost them. Security experts are warning that a fake version of the hot new app on the block – Clubhouse – is being circulated. Clubhouse is a VIP messenger app that celebrities such as Elon Musk, Oprah and Kanye West have helped surge in popularity and demand.
And the exclusive nature of the app is something scammers are trying to capitalise on.
As outlined in a study by ESET, a fake version of the yet-to-be released Android version of Clubhouse is being spread via an official looking website.
The website, which looks very similar to the official Clubhouse page, features a ‘Get it on Google Play button’.
However, instead of directing people to the official Android app marketplace anyone that clicks on this button will instead get a fake app loaded with the BlackRock trojan downloaded onto their device.
This is an especially nasty piece of malware that can steal victims’ login details for 458 services.
Popular apps targeted by BlackRock include Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook and eBay.
While financial apps including Coinbase, Cash App along with apps for major banks such as BBVA and Lloyds Bank have also been targeted.
The dangerous malware threat was discovered by ESET malware researcher Lukas Stefanko.
Speaking about the threat, Stefanko said: “The website looks like the real deal. To be frank, it is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on ‘Get it on Google Play’, the app will be automatically downloaded onto the user’s device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short.”
There are a number of red flags that the alleged Clubhouse Android app website is a fake one.
The clearest sign that this is all part of a scam is the fake app users end up downloading. Instead of it being called Clubhouse it is labelled ‘install’.
Stefanko said: “While this demonstrates that the malware creator was probably too lazy to disguise the downloaded app properly, it could also mean that we may discover even more sophisticated copycats in the future”.
Another sign the website that offers the alleged Clubhouse Android app is bogus is that it does not use the secure HTTPS protocol which all major websites adopt.
Tom Lysemose Hansen, CTO at Norwegian app security company Promon, added: “Smartphone users (and Android users in particular) should be on the lookout for common tell-tale signs that indicate a website is not legitimate. These can include not being secure (if the webpage starts with HTTP instead of HTTPS) or if the domain looks strange (in this case it was .mobi instead of .com used by the legitimate website).”
Advising people on how to stay safe from such threats, ESET recommended a number of top security tips…
• Use only the official stores to download apps to your devices.
• Be wary of what kinds of permissions you grant to applications.
• Keep your device up to date, ideally by setting it to patch and update automatically.
• If possible, use software-based or hardware token one-time password (OTP) generators instead of SMS.
• Before downloading an app, do some research on the developer and the app’s ratings and user reviews.
• Use a reputable mobile security solution.