The Android trojan — nicknamed “BlackRock” by ThreatFabric and detected by Slovak internet security firm ESET — can steal victims’ login credentials for more than 450 apps and bypass SMS-based two-factor authentication.
For starters, Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, Coinbase, Plus500, Cash App, BBVA and Lloyds Bank are all on the list.
“Cybercriminals are attempting to take advantage of the popularity of Clubhouse to deliver malware that aims to steal users’ login information for a variety of online services,” said ESET malware researcher Lukas Stefanko.
The target list includes well-known financial and shopping apps, cryptocurrency exchanges, as well as social media and messaging platforms.
Clubhouse was yet to react to the report.
The app is currently available on Apple App Store and has been downloaded more than 8 million times. Its Android version is set to arrive soon as the company is working on it.
“To be frank, it is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on ‘Get it on Google Play’, the app will be automatically downloaded onto the user’s device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short,” Stefanko explained.
Once the victim is hoodwinked into downloading and installing “BlackRock”, the trojan tries to purloin their credentials using an overlay attack.
In other words, whenever the user launches one of the targeted applications, the malware will create a data-stealing overlay of the application and request the user to log in. Instead of logging in, the user unwittingly hands over their credentials to the cybercriminals.
The malicious app also asks the victim to enable accessibility services, effectively allowing the criminals to take control of the device, the researcher noted.