(Source – Shutterstock)

Fleeceware apps using ChatGPT hype to scam users out of thousands of dollars

Article by Nathan Hew

Fleeceware apps are taking advantage of the ChatGPT hype. As such, the powerful language model developed by OpenAI, has caught the eyes of many cybersecurity experts who are closely monitoring its potential impact on the field. From students to technology professionals, ChatGPT has become an increasingly common term in everyday vocabulary, but cybercriminals are also keeping tabs with the tech. 

Its biggest impact in the consumer market, an area which often lacks adequate cybersecurity awareness. This month, Sophos has uncovered multiple apps masquerading as legitimate ChatGPT-based chatbots to overcharge users and bring in thousands of dollars a month. 

As detailed in Sophos X-Ops’ latest report, “‘ FleeceGPT’ Mobile Apps Target AI-Curious to Rake in Cash,” these apps have shown up in both the Google Play and Apple App Store. Since these free versions have near-zero functionality and constant ads, they coerce unsuspecting users into signing up for a subscription that can cost hundreds of dollars a year. 

“Scammers have and always will use the latest trends or technology to line their pockets. ChatGPT is no exception. With interest in AI and chatbots arguably at an all-time high, users are turning to the Apple App and Google Play Stores to download anything that resembles ChatGPT,” said Sean Gallagher, principal threat researcher, Sophos. 

What are fleeceware apps? 

These types of scam apps — which Sophos has dubbed as “fleeceware” — often bombard users with ads until they sign up for a subscription. “They are banking on the fact that users won’t pay attention to the cost or simply forget that they have this subscription,” Gallagher shares. “They’re specifically designed so that they may not get much use after the free trial ends, so users delete the app without realizing they’re still on the hook for a monthly or weekly payment.”

Sophos X-Ops investigated five ChatGPT fleeceware apps, all of which claimed to be based on ChatGPT’s algorithm. In some cases, as with the app “Chat GBT,” the developers played off the ChatGPT name to improve their app’s ranking in the Google Play or App Store. 

chatgpt apps

The Google Play page for Chat GBT, now removed. (Source – Sophos)

While OpenAI offers users the basic functionality of ChatGPT for free online, these apps were charging anything from US$10 a month to US$70 a year. The iOS version of “Chat GBT,” called Ask AI Assistant, charges US$6 a week —or US$312 a year — after the three-day free trial. In March alone, the developers made US$10,000.

Another fleeceware-like app, Genie, encouraged users to sign up for a US$7 weekly or US$ annual subscription, bringing US$1 million over the past month

What are the key characteristics these apps?

Discovered by Sophos in 2019, these apps overcharge users for functionality that is already free elsewhere. Developers also use social engineering and coercive tactics to convince users to sign up for a recurring subscription payment. Usually, the apps offer a free trial but with so many ads and restrictions, they’re only usable once a subscription is paid.

Most of the time, these apps are poorly written and implemented. It means that the app function is often less than ideal ever after users switch to the paid version. They also inflate their ratings in the app stores through fake reviews and persistent requests of users to rate the app before it’s even been used or the free trial ends. 

“Fleeceware apps are specifically designed to stay on the edge of what’s allowed by Google and Apple in terms of service, and they don’t flout the security or privacy rules, so they are hardly ever rejected by these stores during a review,” Gallagher shares. “While Google and Apple have implemented new guidelines to curb fleeceware since we reported on such apps in 2019, developers are finding ways around these policies, such as severely limiting app usage and functionality unless users pay up.”

On that note, prevention is better than cure. While some ChatGPT fleeceware apps in Sophos X-Ops’ latest report have been taken down, more continue to pop up. “The best protection is education. Users need to be aware that these apps exist and always be sure to read the fine print whenever hitting ‘subscribe.’ Users can also report apps to Apple and Google if they think the developers are using unethical means to profit,” Gallagher advised.