Researchers from ESET said a fake version of the audio chat app Clubhouse is being used by hackers to deliver malware and steal login credentials from 458 apps, including Amazon, Facebook, Twitter and WhatsApp, Threatpost
reports. Currently, Clubhouse is only available on Apple's App Store and attackers are targeting Android users looking to try the app. "To be frank, it is a well-executed copy of the legitimate Clubhouse website. However, once the user clicks on 'Get it on Google Play', the app will be automatically downloaded onto the user's device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short," said researcher Lukas Stefanko. Social media or third-party websites could have aided the spread of the fraudulent website, which looks similar to the real Clubhouse website, Stefanko added. App credentials most likely targeted by the malware include those from cryptocurrency exchanges, financial and shopping apps, and social media and messaging apps.