Cybersecurity firm Sophos has warned that there is a growing number of dubious ChatGPT apps taking advantage of the surging interest in OpenAI’s chatbot to fleece victims of money. Some also track users and harvest their data.
These “fleeceware applications,” found on both Google’s Play Store and Apple’s App Store, have the same basic functionality available for free on OpenAI’s website and its recently released ChatGPT iOS app.
“All of the apps were offered as free [with little or no mention of subscriptions required to unlock basic functionality], had aggressive monetization tactics, and came with default subscription rates that were in many cases not in line with the functionality they provided,” Sophos said in a report on May 17.
Although initially free, these apps lure users into purchasing a subscription by bombarding them with ads and limiting the features available. The cost of a subscription varies from as low as $6 monthly to up to $364 annually.
Despite “their near-zero functionality” and artificially boosted app reviews, “there’s little incentive” for Apple and Google to delete these apps as they receive a percentage of their profits. Sophos said it had reported its findings to both companies. While Google has removed some of these questionable apps, Apple is yet to take action at the time of writing.
Fleeceware Apps First Observed in 2020
Sophos first reported on fleeceware apps in 2020, revealing that spurious apps on the Play Store were charging users upwards of $200 a month for features that were available for free or at a much lower cost.
Since then, Google and Apple have updated their policies to curb cash-stealing apps. Among other things, app developers are required to “be upfront about their subscription fees” and allow users to cancel free trials before charging them, Sophos said. However, fleeceware apps have also evolved to circumvent these policies.
Sophos’ latest investigation into fleeceware apps began after Sophos X-Ops principal researcher Andrew Brandt came across an ad for an app named “Chat GBT” with a logo that bears a striking resemblance to OpenAI’s.
“We found many other apps jumping on the ChatGPT bandwagon following a similar naming convention in an effort to attract users searching for the right app,” Sophos said.
Fleeceware Tactics
According to Sophos, these fake ChatGPT apps tend to limit the number of daily queries or provide abbreviated responses to push users to pay for a subscription.
At least one of these fleeceware apps on the App Store requests permission to “track user activity across other apps and websites” under the guise of using this data to improve its functionality. Another app also requests permission to send notifications.
Unfortunately, these fleeceware apps have already been installed by thousands of users.
Fleeceware apps are “rarely rejected” during review as they are not designed to access private information or bypass app store security like other malicious apps, Sophos said.
While these apps do not outrightly violate app store policies, they come close to doing so. For example, Apple’s App Store policies prohibit developers from blocking, manipulating, or tricking users. However, these apps usually force users to rate them and interrupt users with pop-ups.
One of these apps “regularly interrupted application use with a window prompting for free trial signup—with automatic subscriptions at $8 a week—that could only be bypassed after waiting a few minutes for a window-closing “x” to appear,” Sophos said.
How to Avoid Fleeceware Apps
Due to the size of the Play Store and App Store, it’s difficult for Google and Apple to police their respective platforms effectively and wipe out all malicious apps. We’ve observed fake ChatGPT apps appearing on both platforms since the beginning of the year. Last month, Chinese tech company Baidu sued Apple over apps impersonating its Ernie chatbot on the App Store.
To avoid falling victim to fleeceware, Sophos recommends paying “close attention to in-app payments and subscriptions tied to “free trial” software.” The company also recommends assessing reviews.
“If you’ve discovered you have installed a fleeceware app, it’s important to note that just deleting the app will not end the subscription,” Sophos noted. Your account may continue to be charged, so cancel your subscription before deleting any dubious app.
“For now, the only real defense is user education. Before tapping the install button, users need to make sure they’re aware of any in-app purchases associated with a free app and evaluate whether the fees associated with any application are in line with what’s available elsewhere. And when applications use unethical means to profit, users should report them to Apple or Google,” Sophos advised.
