The voice social network Clubhouse, which grew in popularity in Russia at the beginning of the year, has already been hacked by hackers. And Kaspersky Lab found 40 malicious programs with the word “clubhouse” in the title. What should users of the fashionable social network be afraid of?
Since the beginning of 2021 an application for voice communication Clubhouse worth $ 1 billion, is experiencing explosive growth in popularity. Interest in him was fueled by the founder of Tesla and SpaceX Elon Musk , who came to the social network on January 31. As of February 18, Clubhouse has reached 8 million downloads worldwide: in two months its popularity has grown 16 times. In Russia, Clubhouse was downloaded 420,000 times, according to App Annie data on February 27. The number of active users from February 14 to February 27 was 356,000 in Russia.
Clubhouse users will face vulnerabilities, because at an early stage of development, the creators of the application, as a rule, cannot calculate all the threats and scenarios for using the service, says Alexey Drozd, head of the information security department at SerchInform. After the appearance of monetization, new methods for fraudulent activities will appear within the application, warns the CEO of Cross Technologies Evgeny Chugunov.
How can Clubhouse harm the user?
Trade in invites
To start using the Clubhouse, the user must receive an invitation (invite). In Russia, invites were sold on Avito and Yula message boards , in social networks and messengers. In “Yulia” Forbes confirmed that in mid-February they saw a rapid growth in search queries related to Clubhouse, but refused to disclose how many such queries appeared on the site. The company claims that it preventively identified potential fraudsters who were going to advertise the sale of invites in the Clubhouse, and deprived them of access to the service.
Avito Forbes said that the number of ads offering invites to the Clubhouse has grown sharply, among them there are clearly speculative ones, while it is impossible to verify the authenticity of the “product”. Therefore, Avito has banned the sale of invites on its site. All ads disappeared from the platform on February 17, at the time of blocking on Avito, there were several hundred advertisements for the sale of invites worth from two hundred to several thousand rubles, the company noted.
Currently, Clubhouse can be installed on their device only by iPhone and iPad owners – a version of the application for Android devices is still under development. But as the social network became more and more popular, fake apps with the word “clubhouse” in the name began to appear on Google Play . Sometimes they contained malicious software.
Kaspersky Lab found more than 40 Android files on the Internet that exploited the Clubhouse name. They contained malware or adware. By installing such a program, it was possible to pick up the Anubis banking Trojan, said Dmitry Galov, cybersecurity expert at Kaspersky Lab. The Android app can steal financial data from banking and shopping apps, he added.
Malicious applications for Android are one of the main methods of attacking mobile devices, confirms Alexey Beloglazov, a technical expert at Check Point Software Technologies. Such applications allow stealing user data, including contacts, correspondence and photos, as well as tracking him using GPS and using device cameras, listening to conversations and surroundings using a microphone, Beloglazov added.
Access to contacts
The Hamburg Office for Data Protection and Freedom of Information has asked the creators of the Clubhouse for information on whether the application complies with the rules in force in Europe. The department was interested in how the social network protects the confidential data of European users and their contacts. Commissioner Johannes Kaspar expressed concern that Clubhouse reads user address books and stores information in the United States. In 2012, claims by the management of another American social network, Facebook, had to make concessions to the European authorities. The Irish authorities demanded that Facebook abandon the service for identifying users in photos, and the social network had to do this not only in Ireland, but throughout the EU.
I drew attention to another risk of using ClubhouseOneZero columnist Will Oremus. He said that when he gave Clubhouse access to contacts, the app prompted him to send invites to his former pediatrician, hairdresser and medical professional who was caring for his dying father. In addition, every time someone from the contact list registers on the social network, the application offers to greet this person in a private chat. It will not be possible to register so that no one knows about it. Oremus draws attention to the fact that in the notebook of users there may be contacts of people with whom they would like to hide connections – for example, confidential sources of journalists. In addition, a social network can compile a “dossier” on a person who has not registered in the social network himself, but is in the notebooks of several users.
When Clubhouse recommends sending invites to those users who are not yet in the application, the social network shows the number of general contacts with them. This is how some users discovered that they had a general psychiatrist or marijuana supplier with dozens of their acquaintances. With whom exactly – the application does not allow you to find out, but it probably stores such data somewhere in the database, Oremus points out.
Experts from Roskachestvo believe that a hacker attack is not necessary to leak conversations: they can be recorded using third-party applications. “Do not discuss confidential information, do not be deceived by the apparent privacy of the service,” the agency recommended.
Risk of data leakage to China
The Stanford Internet Observatory (SIO) has discovered a potential vulnerability in the Clubhouse: the social network allows the Chinese authorities to gain access to users’ raw data. The fact is that the server infrastructure for the Clubhouse is provided by Agora Inc. Is a Shanghai startup headquartered in Silicon Valley. The startup provides real-time voice and video services for other software developers, that is, the underlying infrastructure. This allows partners like Clubhouse to focus on interface design, individual features, and user experience enhancements.
Clubhouse transmits Agora’s unique user ID and chat room IDs as text over the Internet, making interception “trivial”, SIO notes. Analysts believe Agora is gaining access to the original audio and could potentially transfer it to the Chinese government. Any observer can easily match IDs in shared chats to see who is talking to whom in the SIO.
This is a direct threat to the security of millions of social media users, especially in China, analysts warn. Agora is subject to the PRC’s cybersecurity law. The documents that Agora filed with the US Securities and Exchange Commission (SEC) stated that it is obliged to “provide assistance and support in accordance with [PRC] law,” including national security protection and criminal investigations. If the Chinese government determines that the voicemail is a threat to national security, Agora will be required by law to help the government locate and store it.
SIO found other security holes, which have not yet been publicly reported, but have notified Clubhouse.
Lack of user verification
There is no user verification feature in Clubhouse. Anyone can register in the application under the guise of a famous person, enter rooms on his behalf, commit fraudulent actions and manipulate, says Anton Kardanov, head of the information security sector of AT Consulting. You can easily impersonate other people, gain confidence in potential victims and provoke them to take any action, agrees Infosecurity CEO Kirill Solodovnikov. According to him, an attacker can introduce himself as anyone and lure people into a financial pyramid, offer to go to a fake site, take part in a promotion, a prize drawing, etc.
In mid-February, a user registered in the Clubhouse under the name of Alla Pugacheva with a photo of the Russian singer. Later, the concert director Pugacheva said that the artist was not on this social network. By that time, the unknown person, posing as Pugacheva, managed to create a room in which he talked with users for several hours, sang the song “Call me with you,” and also criticized Philip Kirkorov for cooperating with Tiktokers.