Fake Android Clubhouse App Steals Thousands of User Credentials

Someone launched a fake Clubhouse Android app that infects phones with malware.

Beware please about the android app:

Now a day’s fake Clubhouse Android app is stealing credentials from other apps using the BlackRock malware. They can steal login details for many different Android apps. So, be careful out there. Actually, the malware is masquerading as the invite-only Clubhouse app, which is especially available to iOS.

No Clubhouse Android app yet

The clubhouse is two things:

  • famously invite-only
  • only available to iOS users

As yet, the team of the Clubhouse development time has not finalized the Android version of the app, though they are working and expected to arrive within the coming months.

The main thing is at present, Clubhouse is only available for iPhone but an Android version is in development.

But there are some extra red flags that ESET noted.

  • The download uses have an unsecured HTTP connection instead of a secure HTTPS.
  • The other is, the site uses a ‘.mobi’ domain while the official website uses ‘.com’
  • 3rd one is the downloaded app is also called ‘Install,’ rather than ‘Clubhouse’.

“While it’s obviously clear that the malware creator was probably lazier to disguise the downloaded app properly. We can also say that we may discover even more sophisticated copycats in the future,” says Stefanko warned.

Fake  Clubhouse apps now stealing credentials

Lukas Stefanko, ESET security researcher, found these fake Clubhouse apps, that aren’t available on the Play Store. As we know that Clubhouse is not available to Android devices yet, although an Android version of the app is currently in the works.

Exactly no such app exists. Some of the users are downloading the fake version of apps as a form of the original.  Actually, they’re actually downloading is the BlackRock Trojan horse malware.

BlackRock Trojan:

It’s true that the BlackRock Trojan can easily steal credentials for over more than 450 other apps, for example, Twitter, Facebook, Amazon, Netflix, eBay, and Coinbase, also numerous popular banking apps, trading apps, cryptocurrency exchanges, cryptocurrency wallets, etc.

As we know that the fake Clubhouse app isn’t yet available on the Play Store. So, the attackers distribute the malicious APK elsewhere. Which is offering the new Android version of Clubhouse, which is enough to lure victims in.

When the app installed once, the fake Clubhouse app uses an overlay and suddenly attack to swipe login credentials for other apps. As usual the victim logs in to their accounts. The instant they start passing their credentials to the attack via the fake Clubhouse app installed on their Android device.

Unfortunately, the BlackRock malware can easily intercept SMS, meaning an attack can compromise SMS-based 2-factor authentication (2FA). Generally, 2FA is your second line of defense, but in some cases especially in such cases, it might not work.

The criminals can also access victim’s data and can hijack their phones as well, as the hijacking Clubhouses are growing very popular.

Cybersecurity researchers do many types of research and found that hackers have created a fake version of the popular app Clubhouse to spread malware.


The version of this app was actually malware designed to harvest a victim’s data and that is discovered by many experts of cybersecurity company ESET.

They also warned everyone that the malware can steal login credentials from over 450 apps and also bypass SMS-based two-factor authentication.



No Comments

Sorry, the comment form is closed at this time.