What you need to know before downloading Clubhouse | Kaspersky official blog

Since Clubhouse’s introduction, the invitation-only audio-chat service has topped App Store downloads, and its audience grew from 600,000 to 10 million in just a few weeks. For good reasons and bad, the name seems to be on everyone’s lips these days. Amidst the hype, it’s easy to overlook threats to your privacy and even wallet.

What Clubhouse is

In case you missed it, Clubhouse is an app that provides a space for drop-in audio chats. Users can listen to or join a conversation (with permission from the organizer). One of Clubhouse’s first big-name fans was Elon Musk, whose tweet in late January triggered a surge of interest in the service. Mark Zuckerberg followed, then Drake and other celebrities. Such endorsements are gold, and Clubhouse’s audience quickly grew.

However, with the app still in beta testing, plus ever-vigilant scammers looking to cash in on new social media, security is far from flawless.

The other Clubhouse

Clubhouse caused a splash, but also some confusion. When Elon Musk announced his appearance on the social network, investors rushed to buy shares, but they mixed it up with a similar-sounding but entirely different organization. The “right” Clubhouse has not even gone public yet.

Also, Clubhouse is currently an iPhone-only app. That didn’t stop some lovers of chat from downloading a project-management app of the same name from Google Play. Having discovered their mistake, irate users review-bombed the app, forcing its creators to temporarily withdraw it from the store.

Those issues, though not great, pose no direct threat to Clubhouse users. Regrettably, though, Google Play is also home to a bunch of blatant Clubhouse fakes. Smartphone or tablet users who install such apps run the risk of giving cybercriminals access to their passwords for online banking and social media, as well as their contact lists, not to mention being bombarded with advertising banners.

A vast number of fake Clubhouse apps for Android have appeared on Google Play

A vast number of fake Clubhouse apps for Android have appeared on Google Play

Android users who want to join the conversation on Clubhouse will just have to keep an eye on the Clubhouse website and wait for the release of the official app on Google Play.

Clubhouse privacy issues

Because Clubhouse is still in beta, it is supposed to be limited to a handful of people, making bug detection and fixing easier. Not surprisingly, some bugs have cropped up in the app’s security system.

In Clubhouse’s short history, experts have already had to issue several reminders that the app does not guarantee user privacy. In mid-February, researchers at the Stanford Internet Observatory (SIO) discovered that user and chat-room IDs are transmitted to the servers in plaintext. SIO suggested that Agora, a Chinese provider of back-end infrastructure for Clubhouse, likely has access to users’ raw audio, although no one has confirmed or refuted the assertion.

Just a few days after SIO posted about Clubhouse, rumors of leaked records appeared on Twitter, and Clubhouse soon confirmed them. A certain user, it was reported, had managed to stream content from the app on their own website. The company did not comment on the incident in detail, but it clarified that the user was in breach of the privacy policy; it wasn’t a hack. The culprit having been banned, the developers promised to fix the bug, but how many more loopholes remain in the software — which is not finished — is hard to say.

SIO also notes that a tech-savvy person would have little trouble figuring out the app’s code. A developer from St. Petersburg proved that in practice by creating an unofficial Clubhouse client for Android in a day. That’s all the more reason for users to think about what vulnerabilities might be lurking in the code.

No hacking required

After registration, the app asks for access to your contact list. If you refuse, you won’t be able to invite anyone to the social network. Therefore, to make full use of Clubhouse you have to give up your contacts. What’s more, the privacy policy permits the developers to transfer such data to a very wide range of third and outside parties, from contractors to marketing agencies and law enforcement agencies.

In addition, the app provides no incognito mode, so your every action in the app leaves a trace. Nor is the app interface outfitted with a “Delete account” button. To initiate the procedure, you have to send a written request.

On top of that, Clubhouse currently lacks full-fledged account verification, so basically anyone can impersonate anyone. Users have already swallowed the bait of a fake Brad Pitt, among others. The impersonation cases may be seen as harmless pranks, but the problem has a more serious side: Scammers have long used both real and fake celebrity accounts for their own purposes — think of the numerous Bitcoin scams on Twitter.

You can’t believe everything you hear, and Clubhouse chat rooms are no exception. If a well-known voice pushes an interesting project, check the information in sources you know you can trust.

Tips and recommendations

  • At the time of posting, Clubhouse was not available for Android, so don’t fall for fake apps in Google Play;
  • Don’t trust Clubhouse to keep your speech and actions private. Share only information you would post in the public domain;
  • Before installing any new app, think about whether you really need it — and if so, whether you can wait for beta or 1.0 errors to shake out;
  • Research apps before installing them — find out about the developers, what data they want, and who they can share it with;
  • Stay on your guard — scammers are forever devising new schemes to defraud users. We will definitely keep covering them, so watch this space, and in the meantime, try not to become the victim of the next story;
  • Equip your devices with a reliable security solution that blocks malware, including apps disguised as Clubhouse for Android.