Hackers use fake ChatGPT apps to push Windows, Android malware

Threat actors are exploiting the popularity of OpenAI's ChatGPT chatbot to distribute malware for Windows and Android, or direct unsuspecting vitims to phishing pages.

ChatGPT gained immense traction since its launch in November 2022, becoming the most rapidly growing consumer application in modern history with more then100 million users by January 2023.

This massive popularity and rapid growth forced OpenAI to throttle the use of the tool and launched a $20/month paid tier (ChatGPT Plus) for individuals who want to use the chatbot with no availability restrictions.

The move created conditions for threat actors to take advantage of the tool's popularity by promising uninterrupted and free-of-charge access to premium ChatGPT. The offers are false and the goal is to lure users into installing malware or to provide account credentials.

Security researcher Dominic Alvieri was among the first to notice one such example using the domain "chat-gpt-pc.online" to infect visitors with the Redline info-stealing malware under the guise of a download for a ChatGPT Windows desktop client.

Tweet

That website was promoted by a Facebook page that used official ChatGPT logos to trick users into getting redirected to the malicious site.

Fake Facebook page
Fake Facebook page (Cyble)

Alvieri also spotted fake ChatGPT apps being promoted on Google Play and third-party Android app stores, to push dubious software onto people's devices.

Fake ChatGPT apps on the Play Store
Fake ChatGPT apps on the Play Store (Alvieri)

Researchers at Cyble have published a relevant report today where they present additional findings regarding the malware distribution campaign discovered by Alvieri, as well as other malicious operations exploiting ChatGPT's popularity.

Cyble discovered "chatgpt-go.online" which distributes malware that steals clipboard contents and the Aurora stealer.

Additionally, "chat-gpt-pc[.]online" delivered the Lumma stealer in Cyble's tests. Another domain, "openai-pc-pro[.]online," drops an unknown malware family.

In addition to the above, Cyble discovered a credit card stealing page at "pay.chatgptftw.com" that supposedly offers visitors a payment portal to purchase ChatGPT Plus.

Phishing site stealing credit card details
Phishing site stealing credit card details (Cyble)

When it comes to fake apps, Cyble says it discovered over 50 malicious applications that use the ChatGPT's icon and a similar name, all of them being fake and attempting to harmful activities on users' devices.

Two examples highlighted in the report are 'chatGPT1,' which is an SMS billing fraud app, and 'AI Photo,' which contains the Spynote malware, which can steal call logs, contact lists, SMS, and files from the device.

Spynote malware stealing call data from the infected device
Spynote malware stealing call data from the infected device (Cyble)

ChatGPT is exclusively an online-based tool available only at "chat.openai.com" and does not offer any mobile or desktop apps for any operating systems at the moment.

Any other apps or sites claiming to be ChatGPT are fakes attempting to scam or infect with malware and should be considered at least suspicious and users should avoid them.

Related Articles:

Hackers poison source code from largest Discord bot platform

It's not just you: ChatGPT is down for many worldwide

Over 100 US and EU orgs targeted in StrelaStealer malware attacks

Brave browser launches privacy-focused AI assistant on Android

Malicious AI models on Hugging Face backdoor users’ machines