ESET malware researcher Lukas Stefanko has found malware that can steal login credentials for more than 450 apps and bypass SMS-based two-factor authentication.
Cybercriminals capitalizing on the popularity of Clubhouse are delivering malware using a disguised as the Android version of Clubhouse, an invitation-only audio chat app. Upon clicking the Play Store download button a website mimicking the look and feel of the genuine Clubhouse website, the victim retrieves malicious payload on the device. The payload contains the “BlackRock” trojan as nicknamed by ThreatFabric. According to ESET that tracks it as Android/TrojanDropper.Agent.HLR, the malware can steal victims’ login credentials for 458 online services.
“The website looks like the real deal. To be frank, it is a well-executed copy of the legitimate Clubhouse website,” ESET researcher writes.
The target list includes the most popular social networks and messaging platforms, financial and shopping apps, cryptocurrency exchanges, and platforms: Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, Coinbase, Plus500, Cash App, BBVA, Lloyds Bank, etc.
The researcher notices that once the user clicks on “Get it on Google Play,” the app will be automatically downloaded onto the user’s device. With legitimate websites, one would always be redirected to Google Play, rather than directly download an APK.
In addition, a clever user would notice that the connection is not secure (HTTP instead of HTTPS) or that the site uses the “.mobi” top-level domain, rather than “.com” used by the legitimate app.
Clubhouse is only preparing to launch the Android version of its app. Its audio social network is currently available only for iPhones.
Once the victim is done installing BlackRock, the trojan will try to steal credentials for other apps using an overlay attack. Whenever the victim launches one of the targeted apps, the malware will create an overlay copying the application and request the user to log in.
The malware can also intercept text messaging, so SMS-based two-factor authentication (2FA) wouldn’t necessarily help in this case, the researcher says.
The malicious app also prompts the victim to enable accessibility services, this effectively allows the criminals to take control of the whole device.
Stefanko warned that “we may discover even more sophisticated copycats in the future.”