Skip to main content

Clubhouse for Android? Nope, just sneaky password-stealing malware

clubhouse app
(Image credit: Shutterstock)

If you're pining to use Clubhouse on Android, don't be too eager as you might fall prey to this fake Clubhouse Android app that installs password-stealing malware.

Discovered by ESET and written up in a blog post yesterday, the fake Clubhouse app installs the BlackRock Android Trojan, which we first wrote about last summer. 

This fraudulent app is trying to cash in on the Clubhouse craze, which has seen the 11-month-old iPhone voice-chat app skyrocket in popularity following celebrity endorsements from the likes of Elon Musk.

The fake Clubhouse app is delivered by a bogus Clubhouse website that looks exactly like the official site, ESET said. 

There are only two differences: The ".com" in "joinclubhouse.com" is replaced by a different top-level-domain suffix, and the official Apple button to "Download on the App Store" is replaced by one that looks like the real Google app button, which reads "Get it on Google Play."

If you're on your Android phone and you click that fake link to the Google Play Store, an app called "Install" will download to your phone and prompt you "Enable Install." This will work only if you've given Chrome, or whichever of the best Android browsers you're using, permission to install apps.

How to avoid joining the wrong Clubhouse

To prevent being hoodwinked by this fake Clubhouse app, make sure that only Google Play can install or update software on your Android device. Go into Settings > Apps & Notifications > Special App Access > Install unknown apps and make sure no apps have this ability. 

You'll also want to be running one of the best Android antivirus apps, which will block the BlackRock Trojan from installing and find any other malware you may already have on your phone or tablet.

BlackRock mimics the login screens of hundreds of Android apps, including Amazon, eBay, Facebook, Gmail, Google Play, Hotmail, Instagram, Microsoft Outlook, Netflix, PayPal, Twitter, Uber, WhatsApp and Yahoo Mail, plus every major bank you've ever heard of. It also fakes the credit-card-entry screens of dozens of other apps.

Put your username, password or credit-card number into one of BlackRock's fake login screens, and you can kiss them goodbye. 

Having two-factor authentication (2FA) activated doesn't always work, says ESET, because BlackRock can intercept text messages. That's one reason it's better to use an authenticator app or a USB security key as your "second" 2FA factor.