Android users beware: a fake Clubhouse Android app is stealing credentials from other apps using the BlackRock malware. The malware is masquerading as the invite-only Clubhouse app, which is currently only available to iOS.

Fake Android Clubhouse App Stealing Credentials

ESET security researcher Lukas Stefanko found the fake Clubhouse app, which isn't available on the Play Store. As yet, Clubhouse is not available to Android devices, although an Android-version of the app is currently in the works.

Currently, no such app exists. Android users desperate to use Clubhouse are downloading a fake version of the app mocked up to mimic the original. What they're actually downloading is the BlackRock Trojan horse malware.

The BlackRock Trojan can steal credentials for over 450 other apps, including Twitter, Facebook, Amazon, Netflix, eBay, and Coinbase, along with numerous popular banking apps, trading apps, cryptocurrency exchanges, cryptocurrency wallets, and more.

On the official ESET blog, Stefanko said:

The website looks like the real deal. To be frank, it is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on 'Get it on Google Play,' the app will be automatically downloaded onto the user's device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short

As the fake Clubhouse app isn't available on the Play Store, the attackers distribute the malicious APK elsewhere. Stefanko has indicated that the APK is likely distributed via social media and forum posts offering the new Android version of Clubhouse, which is enough to lure victims in.

Once installed, the fake Clubhouse app (the BlackRock malware) uses an overlay attack to swipe login credentials for other apps. The victim logs in to their accounts as usual but is instead passing their credentials to the attack via the fake Clubhouse app installed on their Android device.

The BlackRock malware can also intercept SMS, meaning an attack could compromise SMS-based two-factor authentication (2FA). Normally, 2FA is your second line of defence, but in this case, it might not work.

Related: Clubhouse Promises to Fill in Security Gaps Following Breach

There Is No Clubhouse Android App—Yet

Clubhouse is two things: famously invite-only, and only available to iOS users. As yet, the Clubhouse development time has not finalized the Android version of the app, though it is in the works and expected to arrive within the coming months.

Related: Telegram Launches Unlimited Voice Chats in Channels to Battle Clubhouse

Before you hear of an official Clubhouse app for Android, you should avoid any posts on social media or otherwise claiming that the new app is ready. That also means only use official stores to download apps, such as the Play Store, and don't install apps from untrusted third-party sources that require you to disable your device security settings.