Sophos Uncovers Fleeceware Scam Targeting Users with Fake ChatGPT Apps

Sophos, a global leader in cybersecurity, has revealed the presence of fleeceware apps masquerading as ChatGPT-based chatbots. These deceptive apps, discovered on the Apple App Store and Google Play Store, exploit users by overcharging for minimal functionality. In a comprehensive report titled “FleeceGPT Mobile Apps Target AI-Curious to Rake in Cash,” Sophos X-Ops highlights the prevalence of these apps and the tactics employed to coerce unsuspecting users into costly subscriptions.

According to Sophos, scammers consistently leverage the latest trends and technologies to line their pockets, and ChatGPT is no exception. With a surge in interest in artificial intelligence (AI) and chatbots, users are flocking to app stores to download anything resembling ChatGPT. Exploiting this trend, fleeceware apps bombard users with advertisements until they sign up for a subscription. These apps, dubbed “fleeceware” by Sophos, capitalize on users’ potential oversight of subscription costs or their tendency to forget about ongoing payments. Designed to offer limited functionality post-free trial, these apps manipulate users into unwittingly committing to monthly or weekly payments.

Sophos X-Ops examined five fleeceware apps claiming to be based on ChatGPT’s algorithm. Some developers even manipulated app names, like “Chat GBT,” to improve their rankings in app stores. Despite OpenAI providing basic ChatGPT functionality for free online, these fleeceware apps charged users between $10 per month to $70 per year. For instance, the iOS version of “Chat GBT,” named Ask AI Assistant, demanded $6 per week or a staggering $312 per year after the three-day free trial. In March alone, it generated $10,000 for the developers. Another app called Genie, which enticed users into a $7 weekly or $70 annual subscription, brought in $1 million in a month.

Sophos first identified fleeceware apps in 2019 and outlined their key characteristics. These apps exploit users by charging for functionality that is already available for free elsewhere. Additionally, they employ social engineering tactics to manipulate users into subscribing to recurring payments. The free trials of these apps are laden with ads and restrictions, rendering them practically unusable until a subscription is purchased. Moreover, fleeceware apps often suffer from poor implementation and functionality, even in the paid version. To further deceive users, they inflate their ratings through fake reviews and incessant rating requests before the app has been fully utilized or the free trial ends.

Fleeceware apps carefully navigate the boundaries set by Google and Apple’s guidelines, ensuring compliance with security and privacy rules to avoid rejection during review. Although both platforms have implemented stricter guidelines to curb fleeceware since Sophos first reported on such apps in 2019, developers continue to find ways to bypass these policies. For instance, they limit app usage and functionality severely until users pay. While some ChatGPT fleeceware apps mentioned in the report have been taken down, new ones continue to emerge. User education plays a vital role in protection, as users must be aware of the existence of such apps and thoroughly read subscription details before committing. Apple and Google provide avenues for reporting unethical apps, and users should follow the store guidelines to unsubscribe properly, as simply deleting the fleeceware app does not void the subscription.

30 May 2023

Author: Terry KS

Share This Post On