Clubhouse for Android? Nope, just sneaky password-stealing malware

News
By published

This is one Clubhouse you don't want to join

clubhouse app
(Image credit: Shutterstock)

If you're pining to use Clubhouse on Android, don't be too eager as you might fall prey to this fake Clubhouse Android app that installs password-stealing malware.

Discovered by ESET and written up in a blog post yesterday, the fake Clubhouse app installs the BlackRock Android Trojan, which we first wrote about last summer. 

This fraudulent app is trying to cash in on the Clubhouse craze, which has seen the 11-month-old iPhone voice-chat app skyrocket in popularity following celebrity endorsements from the likes of Elon Musk.

The fake Clubhouse app is delivered by a bogus Clubhouse website that looks exactly like the official site, ESET said. 

There are only two differences: The ".com" in "joinclubhouse.com" is replaced by a different top-level-domain suffix, and the official Apple button to "Download on the App Store" is replaced by one that looks like the real Google app button, which reads "Get it on Google Play."

If you're on your Android phone and you click that fake link to the Google Play Store, an app called "Install" will download to your phone and prompt you "Enable Install." This will work only if you've given Chrome, or whichever of the best Android browsers you're using, permission to install apps.

How to avoid joining the wrong Clubhouse

To prevent being hoodwinked by this fake Clubhouse app, make sure that only Google Play can install or update software on your Android device. Go into Settings > Apps & Notifications > Special App Access > Install unknown apps and make sure no apps have this ability. 

You'll also want to be running one of the best Android antivirus apps, which will block the BlackRock Trojan from installing and find any other malware you may already have on your phone or tablet.

BlackRock mimics the login screens of hundreds of Android apps, including Amazon, eBay, Facebook, Gmail, Google Play, Hotmail, Instagram, Microsoft Outlook, Netflix, PayPal, Twitter, Uber, WhatsApp and Yahoo Mail, plus every major bank you've ever heard of. It also fakes the credit-card-entry screens of dozens of other apps.

Put your username, password or credit-card number into one of BlackRock's fake login screens, and you can kiss them goodbye. 

Having two-factor authentication (2FA) activated doesn't always work, says ESET, because BlackRock can intercept text messages. That's one reason it's better to use an authenticator app or a USB security key as your "second" 2FA factor.

See more Computing News
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
Green skull on smartphone screen.
Hackers are spreading info-stealing malware and taking over accounts using fake wedding invitations — how to stay safe
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Google Play logo on an android smartphone with corner hole punch camera
At least 5 North Korean spy apps have been found on Google Play — what you need to know
One phone with skull and crossbones on screen among several other clean-looking phones.
Malicious iPhone apps are spreading screenshot-reading malware on the Apple App Store — how to stay safe
Latest in Malware & Adware
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
NYTimes Connections
NYT Connections today hints and answers — Sunday, March 23 (#651)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #385 (Sunday, March 23 2025)
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
More about malware adware
A hacker typing quickly on a keyboard

Hackers are using this little-known file type to drop a nasty Windows worm on vulnerable PCs — how to stay safe
Malware

1.2 million people fooled by fake MidJourney Facebook page used to spread malware — don’t fall for this
The new Husqvarna iQ series robot lawn mower.

Husqvarna’s new robot mowers offer GPS for less
See more latest