Hackers use fake ChatGPT apps to push Windows and Android malware

Threat actors are exploiting the popularity of OpenAI’s ChatGPT chatbot to distribute malware for Windows and Android, or direct unsuspecting victims to phishing pages.

ChatGPT has grown in popularity since its launch in November 2022, becoming the fastest growing consumer app in modern history with over 100 million users in January 2023.

This massive popularity and rapid growth has forced OpenAI to limit the use of the tool and launch a $20/month paid tier (ChatGPT Plus) for people who want to use the chatbot without availability restrictions.

The move created the conditions for threat actors to leverage the tool’s popularity by promising uninterrupted and free access to premium ChatGPT. The offers are gallant and the goal is to trick users into installing malware or providing account credentials.

Security researcher Dominic Alvieri was among the first to notice an example using the “chat-gpt-pc.online” domain to infect visitors with the Redline information-stealing malware under the guise of a download for a Windows ChatGPT desktop client.


This website was promoted by a Facebook page that used official ChatGPT logos to trick users into being redirected to the malicious site.

fake facebook page
fake facebook page (Cyble)

Alvieri also spotted Fake ChatGPT apps are promoted on Google Play and third-party Android app stores, to push dubious software onto people’s devices.

Fake ChatGPT Apps on Play Store
Fake ChatGPT Apps on Play Store (Alvieri)

Researchers from Cyble published a relevant report today in which they present additional findings regarding the malware distribution campaign discovered by Alvieri, as well as other malicious operations exploiting the popularity of ChatGPT.

Cyble discovered “chatgpt-go.online” which distributes malware that steals clipboard content and the Aurora thief.

Additionally, “chat-gpt-pc[.]online” delivered the Lumma thief in Cyble’s tests. Another domain, “openai-pc-pro[.]online,” drops an unknown malware family.

In addition to the above, Cyble discovered a credit card theft page on “pay.chatgptftw.com” which supposedly offers visitors a payment portal to purchase ChatGPT Plus.

Phishing site stealing credit card details
Phishing site stealing credit card details (Cyble)

As for fake apps, Cyble says it has discovered more than 50 malicious apps that use the ChatGPT icon and similar name, all of which are fake and attempt harmful activities on users’ devices.

Two examples highlighted in the report are “chatGPT1”, which is a fraudulent SMS billing application, and “AI Photo”, which contains Spynote malware, which can steal call logs, contact lists, SMS and device files.

Spynote malware steals call data from infected device
Spynote malware steals call data from infected device (Cyble)

ChatGPT is exclusively an online tool available only on “chat.openai.com” and currently does not offer any mobile or desktop application for any operating system.

All other apps or sites claiming to be ChatGPT are fakes that attempt to scam or infect with malware and should be considered at least suspicious and users should avoid them.


Source link