Those who want to use Clubhouse on Android should be on their guard, as they may fall prey to a fake Clubhouse Android app that installs password-stealing malware.

This fake Clubhouse app, discovered by ESET and discussed in yesterday's blog post, installs the BlackRock Android Trojan, which we first reported on last summer.

The scam app is trying to capitalize on the Clubhouse boom that saw the iPhone voice chat app's popularity skyrocket 11 months ago, with endorsements by celebrities like Elon Musk. [The fake Clubhouse app is distributed from a fake Clubhouse website that looks exactly like the official site, ESET said. [There are only two differences: the ".com" in "joinclubhouse.com" has been replaced with a different top-level domain suffix, and the official Apple button that says "Download at the App Store" has been replaced with a genuine "Get it at Google Play" The thing is that it has been replaced by what appears to be a Google App button.

If you are using an Android phone and click on the fake link to the Google Play store, an app called "Install" will download to your phone and display "Enable Install." This will only work if you have given Chrome, or whichever best Android browser you are using, permission to install the app.

To avoid being tricked by this fake clubhouse app, make sure that only Google Play can install or update software on your Android device. Go to Settings > Apps and Notifications > Special App Access > Install Unknown Apps and make sure none of your apps have this permission.

We also recommend running one of the best Android antivirus apps that can block the installation of the BlackRock Trojan and find other malware that may already be present on your phone or tablet.

BlackRock is Amazon, eBay, Facebook, Gmail, Google Play, Hotmail, Instagram, Microsoft Outlook, Netflix, PayPal, Twitter, Uber, WhatsApp, It mimics the login screens of hundreds of Android apps, including Yahoo Mail, plus every major bank you've ever heard of. It can also forge credit card entry screens for dozens of other apps.

Entering a username, password, and credit card number into Blackrock's fake login screen is all it takes to kiss it goodbye.

[16] Because Blackrock can intercept text messages, enabling two-factor authentication (2FA) does not always work, ESET says. Therefore, it recommends using an authentication app or USB security key as a "second" 2FA factor.