ESET has uncovered malware designed to leverage the growing popularity of invite-only social media app Clubhouse.
Revealing its findings in a blog post, the cybersecurity firm said the Trojan malware aims to steal users’ login information for a variety of online services. Disguised as an Android version of the audio chat app (which does not current exist), it is capable of taking credentials for over 450 apps and is also able to bypass SMS-based two factor authentication (2FA).
In the scheme, users are tricked into downloading the fake app from a website that has the look and feel of the genuine Clubhouse website. Once the malware, nicknamed “BlackRock,” is downloaded onto a device, it can set about stealing login details for 458 online services. The online services targeted include Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, Coinbase, Plus500, Cash App, BBVA and Lloyds Bank.
BlackRock uses an overlay attack to try and steal the victim’s credentials whenever one of the targeted applications is launched. Following the overlay, the user is requested to login, unwittingly handing over their credentials to the attackers.
Worryingly, the malware can also intercept text messages, meaning SMS-based 2FA will not necessarily help. Additionally, the malicious app asks the victim to enable accessibility services, which would allow the cyber-criminals to effectively take control of the device.
ESET malware researcher Lukas Stefanko said: “The website looks like the real deal. To be frank, it is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on ‘Get it on Google Play’, the app will be automatically downloaded onto the user’s device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short.”
Commenting on the research, Tom Lysemose Hansen, CTO at app security company Promon outlined: “It was only a matter of time before malicious actors capitalized on the growing demand for Clubhouse to release an Android app. This is a classic case of malware, once downloaded onto the device, using a system of overlays to steal login credentials from a list of targeted applications. The convincing nature of the website and the fact that the malware is able to steal login credentials from more than 450 apps and bypass SMS-based two-factor authentication, makes this extremely concerning.”
He added: “Smartphone users (and Android users in particular) should be on the lookout for common tell-tale signs that indicate a website is not legitimate. These can include not being secure (if the webpage starts with HTTP instead of HTTPS) or if the domain looks strange (in this case it was .mobi instead of .com used by the legitimate website).”