Fake ChatGPT apps on the Google Play Store can hijack Android phones and use phone numbers for scams, according to cybersecurity researchers from Palo Alto Networks Unit 42. These malicious apps disguise themselves as the popular AI chatbot, ChatGPT, which many people use. Malware can steal personal information or cause damage to phones, and the researchers found that these fake ChatGPT apps are designed to do both.
The researchers discovered two types of active malware, one of which disguises itself as an app called SuperGPT but is actually a Meterpreter Trojan. The other malware pretends to be the genuine ChatGPT app but secretly sends messages to expensive phone numbers in Thailand. These premium-rate numbers are typically used for services where users pay for information or a specific service, but in this case, the malware creators use them to make money through fraudulent activities.
The researchers also discovered a malicious Android Package Kit (APK) sample that enables attackers to take control of an Android phone remotely. This APK is a modified version of the genuine AI assistant app based on the latest version of ChatGPT. To make matters worse, other malware samples in APK format masquerade as innocent apps with the ChatGPT logo as their icon. These samples appear to be related to the legitimate ChatGPT AI tool but hide a malicious purpose beneath the surface.
To avoid downloading dangerous apps, it’s important to be cautious when downloading apps on your Android phone. Stick to trusted sources and be wary of apps that claim to be something they’re not, especially if they claim to be related to ChatGPT. In addition, researchers found that these malware apps appeared around the same time that OpenAI released GPT-3.5 and GPT-4. Therefore, people who are interested in ChatGPT should be extra cautious when looking for a legitimate app.
