Site navigation

Hackers Use Fake Clubhouse App to Steal Credentials

Michael Behr


Fake Clubhouse App

By hijacking Clubhouse’s growing popularity, the criminals can access victim’s data and hijack their phones.

Cybersecurity researchers have found that hackers have created a fake version of popular app Clubhouse to spread malware.

Experts at cybersecurity company ESET discovered that an Android version of the app was actually malware designed to harvest a victim’s data.

They warned that the malware can steal login credentials from over 450 apps and bypass SMS-based two-factor authentication.

On the malware’s target list are numerous popular social media and messaging platforms, financial apps, and shopping sites. These include, Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, and Lloyds Bank, ESET warned.

To steal data, the trojan creates an overlay attack every time the user opens one of the targeted apps. The victim is prompted to log in to the app, and if they do the cyber criminals get access to their credentials.

Not only that, but the malware can intercept text messages, bypassing two-factor authentication. Finally, the app also asks the victim to enable accessibility services, effectively allowing the criminals to take control of the device.

The fake app was available from a website designed to mimic Clubhouse’s official website. Users attempting to download the app instead download a package nicknamed ‘BlackRock,’ also known as Android/TrojanDropper.Agent.HLR.

“The website looks like the real deal. To be frank, it is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on ‘Get it on Google Play’, the app will be automatically downloaded onto the user’s device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short,” said ESET malware researcher Lukas Stefanko.

At present, Clubhouse is only available for iPhone, though an Android version is in development. There are some additional red flags that ESET noted – the download uses an unsecure HTTP connection instead of a secure HTTPS. In addition, the site uses a ‘.mobi’ domain while the official website uses ‘.com’

The downloaded app is also called ‘Install,’ rather than ‘Clubhouse’.

“While this demonstrates that the malware creator was probably too lazy to disguise the downloaded app properly, it could also mean that we may discover even more sophisticated copycats in the future,” Stefanko warned.


Launched in April last year, Clubhouse is an audio-chat app – groups up to several thousand strong can drop into rooms to voice chat about various topics. Like many popular apps, its profile was raised by billionaire Elon Musk, when he was interviewed on the app in January this year.

Since its launch, it has been downloaded by around 13 million people, leaping from about 3.5 million in February. Frequent celebrity users and isolation during the pandemic have helped fuel its popularity.

While the app is currently only available on iPhone, and then only by invitation only, open-source versions have been created for Android and desktop and published on GitHub.

Join the Debate | Scot-Secure 2021

The plethora of cybersecurity threats facing individuals and organisations will be a key area of discussion at the upcoming Scot-Secure Cybersecurity Conference on March 24-25th.

Hear from leading experts from across the cybersecurity sector and explore the crucial issues.

Register your free place now at:

Michael Behr

Senior Staff Writer

Latest News

Cybersecurity Editor's Picks Trending Articles
Cybersecurity Data Trending Articles
%d bloggers like this: