Fake Clubhouse for Android steals credentials from financial apps | Applications and Software

The Clubhouse is still an exclusive application for users who are on an iPhone, iPod Touch or iPad, a scenario that helps in the creation of fake clones for Android devices. One of these fraudulent options is capable of stealing user data and credentials in more than 400 other apps and services that are installed within the same device.

Clubhouse on the iPhone (Image: André Fogaça / Tecnoblog)

Clubhouse on the iPhone (Image: André Fogaça / Tecnoblog)

This attack was discovered and publicized by researcher Lukas Stefanko, from the security company Eset. The fake app that promises access to the social voice network installs a trojan called BlackRock and its job is to capture user information in 458 different apps, installed on the same Android smartphone or tablet.

The researcher points out that the Trojan’s target list includes access to Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, Coinbase, Plus500, Cash App, BBVA and Lloyds Bank.

All the decoy to deceive the user starts with a website that impersonates the Clubhouse, where the user puts his data to enter the queue and be able to receive the invitation to access the social network. Right away, it is possible to notice something strange, since the official page is ended with “.com” and the false one uses “.mobi”.

“The website is very similar to the legitimate one. To put it bluntly, it is a well-made copy of the Clubhouse’s legitimate website. However, as soon as the user clicks on “Get on Google Play”, the application will be automatically downloaded to the user’s device. It is important to take into account that legitimate sites always redirect the user to Google Play instead of directly downloading the Android Package Kit (APK), ”comments Stefanko.

This means that, even with the traditional icon for downloads from the Play Store, the downloaded file comes from a dedicated server and needs the user’s authorization to be installed from the outside, which is not recommended.

Once installed, the fake Clubhouse captures the data from the listed applications with the help of an overlay layer that sits above these targets. It asks for the login data, which is saved and sent to the hacker by the trojan. The Eset note also states that even protections with two-factor authentication do not guarantee security, as BlackRock also keeps an eye on text messages.

Clubhouse could take months to get to Android

It is not new that Android users complain about the absence of their mobile operating system in Clubhouse conversations. In an interview with Bill Gates, one of the founders of the social network, Paul Davidson, said: “Someone asked, the other day, what is the best feature that we are excited about while developing and I replied: Android. It is very important, especially in the international market ”.

Last Sunday (21), Davidson commented that the release of this version for the Google mobile operating system is scheduled for “the next few months”. In the meantime, Twitter has started releasing Spaces for those on Android. The feature is basically a copy of the Clubhouse’s own functions.

Paul Davidson states that the slow pace used by the company to launch the Android version of the Clubhouse happens precisely because of the greater number of users of this platform. For him, the area of ​​suggestions for open rooms can grow negatively, making the current experience even worse.

Currently the application shows more rooms with other languages ​​than for the language the user speaks – this is my case and that made my interest in the platform almost disappear. The solution proposed by the executive himself involves inserting more personalized suggestions and more filters.

Even so, there is still no forecast for the official arrival of the Clubhouse for Android smartphones and tablets.

With information: Eset and TechCrunch.

Leave a Comment