Fake ChatGPT Apps Scam Android Users

Security experts from Sophos have raised a warning about a new form of scam infiltrating Google Play and Apple's App Store. These fraudulent apps claim to provide access to OpenAI's chatbot service, ChatGPT, through free trials but eventually start charging subscription fees.

While OpenAI does offer paid versions of GPT and ChatGPT for regular users and developers, the AI chatbot can be tried for free on OpenAI's website. The scammers behind these apps take advantage of individuals who are interested in the new technology but lack the knowledge to try it themselves. The researchers initially discovered these scam apps through ads in news apps and social networks, but users may also come across them while searching on Google Play and the App Store.

The scammers use tactics like typos in the app names to target less tech-savvy users and avoid those who would cancel the free trial due to dissatisfaction. These scams fall under the category of "fleeceware." The difficulty in combating these apps lies in the fact that they do not exhibit overtly malicious behavior, making it challenging for them to be identified as explicit malware. When submitting these apps to Apple and Google for review, scammers may not fully disclose the subscription pricing details or when users will be required to pay to continue using the app. Later, they can modify the subscription terms without changing the app's technical aspects.

Exploitative Apps Abuse Storefront Subscription Models

Google and Apple provide mechanisms for developers to offer in-app purchases, including one-time fees and recurring charges. These companies receive a percentage of the payments collected by apps in their respective app stores.

For instance, the Android app "Open Chat GBT" could be downloaded for free but bombarded users with excessive ads. Users were allowed only three chatbot interactions before being prompted to subscribe. By default, users could opt for a three-day free trial, after which the subscription would cost $10 per month. Another option was a $30 annual subscription. The researchers also found a similar app with a different name but from the same developer in the App Store for iOS.

Sophos researchers reported some of the fake AI chatbot apps to Apple and Google, leading to the takedown of some apps. However, some apps remained available even after being flagged. Apple and Google acknowledged the submissions, but they did not immediately respond to requests for comment.

The researchers suspect that some of these apps utilize OpenAI's ChatGPT 3 API to generate content, while others use lower-quality chatbot functionalities. Instead of limiting the number of queries, some apps truncate responses and provide users with only a snippet until they subscribe.

One significant issue with fleeceware, as highlighted by a senior threat researcher at Sophos, is that users often lack knowledge about managing their subscriptions. They may not realize that even after deleting an app, the recurring payments for the service will continue.