Joinclubhouse.mobi

Joinclubhouse.mobi is an ill-minded website spreading an Android credential-collecting Trojan threat called BlackRock. The fake website hijacks the popularity of the invitation-only audio chat application Clubhouse and entices users with an offer to download the non-existent Android version of the application. The disguise of the page is designed to appear as close as possible to the official website, but there still are a couple of telltale signs that should help users recognize that something is amiss. 

First, when visitors click on the 'Get on Google Play' button, they are not taken to the official Android store, the typical behavior of any legitimate website. Instead, the Trojanized application will be downloaded to the user's device directly. Then there is the insecure connection as the fake website uses HTTP and not HTTPS while also having the '.mobi' top-level domain and not the '.com' of the official website. Finally, while the developer of Clubhouse has announced that work on an Android version has begun, it is still not out yet. Currently, Clubhouse is available only on iPhones. 

Once installed onto the victim's Android device, the BlackRock Trojan will first try to obtain as many device privileges as possible by asking the user to enable accessibility services. If successful, BlackRock will allow the attackers to take full control over the compromised device effectively. The main purpose of the threat is to collect account credentials. So far, BlackRock has been observed targeting 458 different applications approximately, ranging from social media and IM (Instant Messaging) applications to shopping, financial, cryptocurrency and crypto-wallet applications. Among the targets are Facebook, Twitter, WhatsApp, Netflix, eBay, Plus500, Cash application, Outlook, Amazon, BBVA, Lloyds Bank and more.

The theft of data is achieved through an overlay page that is created on top of the legitimate application. Any credentials entered into the overlay will be scraped, logged, and exfiltrated to the attackers. While two-factor authentication (2FA) has been gaining ground among application developers as another protective layer, it may not be an effective countermeasure against BlackRock as the Trojan is capable of intercepting text messages. 

As a general rule, users should avoid downloading any applications that are not hosted on the official stores. Furthermore, pay attention to the permissions requested by the various applications as many try to overreach and receive things that have nothing to do with their core functionality.