As invite-only audio conversation app Clubhouse gains popularity, cyber security experts warned on Friday that hackers can distribute malicious code under the guise of fake applications to join the platform.
There are privacy concerns because Clubhouse works with a Shanghai-based company called Agora to provide real-time audio technology support. The firm is headquartered in Shanghai and Silicon Valley.
Denis Legezo, security expert at cyber-security firm Kaspersky, said that there are two main concerns here -- the sale of invites and fake applications.
"Both scenarios are united by one thing -- the desire to exploit users' interest in the social platform," he said in a statement.
Beware of fake Clubhouse invites
The first scenario is simply monetisation on a small scale. "However, the second scenario is more serious. Attackers can distribute malicious code under the guise of popular software - for instance, a fake version of Clubhouse for Android," Legezo emphasised.
"A fake malicious application can do exactly what you allow it to do in the security settings of your Android -- to get a rough or accurate location of the device, record audio and video, attain access to messengers, etc.," he warned.
Melissa Chan, a Hong Kong-American broadcast journalist, gave a talk on Clubhouse on February 4 about Beijing's overseas influence campaigns.
According to The Star, she found out that "the conversation was surreptitiously recorded by individuals who sympathized with Chinese Communist Party actions".
"The security repercussions could be as benign as nothing happening to users, to police in their country detaining a Clubhouse user because of something they said. Even if absolutely nothing happens to a user living in an authoritarian country, keep in mind that that person lives with the uncertainty of not knowing if something might happen in the future," Chan was quoted as saying in the report.
Some more unusual tricks are also possible on Clubhouse.
"For instance, if attackers implement the capacity to record audio, and this function is allowed on the device, they would be able to use high quality recordings to train their machine algorithms, to create more sophisticated deep fakes," Legezo commented.
In an interview with the South China Morning Post, Agora has said it does not "store any end-user data".
In its last blog post late last month, Clubhouse which has seen over 8 million users on Apple devices, said user safety has always been a top priority for them.
"This means scaling up our Trust & Safety and Support teams as we grow, continuing to invest in advanced tools to detect and prevent abuse, and increasing the features and training resources available to moderators," it said.
(With inputs from IANS)