Several apps that seemed to be authentic ChatGPT-based chatbots were discovered today by Sophos, a pioneer in cybersecurity innovation and cybersecurity as a service, in order to overcharge customers and earn thousands of dollars each month.
These apps, which are described in Sophos X-Ops’ most recent report, “‘FleeceGPT’ Mobile Apps Target AI-Curious to Rake in Cash,” have appeared in both the Google Play and Apple App Stores. Because the free versions have almost no functionality and ongoing ads, they pressure unwary users into subscribing for a subscription that can cost hundreds of dollars per year.
“Scammers have and always will use the latest trends or technology to line their pockets. ChatGPT is no exception. With interest in AI and chatbots arguably at an all-time high, users are turning to the Apple App and Google Play Stores to download anything that resembles ChatGPT. These types of scam apps—what Sophos has dubbed ‘fleeceware’—often bombard users with ads until they sign up for a subscription. They’re banking on the fact that users won’t pay attention to the cost or simply forget that they have this subscription. They’re specifically designed so that they may not get much use after the free trial ends, so users delete the app without realizing they’re still on the hook for a monthly or weekly payment,” said Sean Gallagher, principal threat researcher, Sophos.
Five of these ChatGPT fleeceware apps that each claimed to be based on ChatGPT’s algorithm were examined by Sophos X-Ops in total. In other instances, such as with the app “Chat GBT,” the creators used the ChatGPT moniker to their advantage in order to raise the program’s position in the Google Play or App Store listings. While these programs were charging anywhere from $10 per month to $70.00 per year, OpenAI provides users with the essential features of ChatGPT for free online. After the three-day free trial, the iOS version of “Chat GBT,” named Ask AI Assistant, charges $6 per week, or $312 per year; it brought in $10,000 for the developers in March alone. Another fleeceware-like app, called Genie, which encourages users to sign up for a $7 weekly or $70 annual subscription, brought in $1 million over the past month.
The main traits of so-called fleeceware apps, which Sophos first identified in 2019, include overcharging consumers for features that are previously available for free elsewhere and utilizing coercive and social engineering techniques to persuade users to sign up for recurring subscription payments. The apps typically provide a free trial, but due to the numerous adverts and limitations, they are seldom usable unless a subscription is paid. The functionality of these apps is frequently subpar even after users upgrade to the commercial version because they are frequently poorly conceived and implemented. Fake reviews and constant prompts for customers to rank the app before they have even tried it or the free trial has ended are other ways they artificially inflate their ratings in the app stores.
“Fleeceware apps are specifically designed to stay on the edge of what’s allowed by Google and Apple in terms of service, and they don’t flout the security or privacy rules, so they are hardly ever rejected by these stores during the review. While Google and Apple have implemented new guidelines to curb fleeceware since we reported on such apps in 2019, developers are finding ways around these policies, such as severely limiting app usage and functionality unless users pay up. While some of the ChatGPT fleeceware apps included in this report have already been taken down, more continue to pop up—and it’s likely more will appear. The best protection is education. Users need to be aware that these apps exist and always be sure to read the fine print whenever hitting ‘subscribe.’ Users can also report apps to Apple and Google if they think the developers are using unethical means to profit,” said Gallagher.
The report’s apps have all been reported to Apple and Google. Users who have already downloaded these apps should follow the instructions on the App or Google Play store on how to “unsubscribe.” The subscription will remain active even if the fleeceware app is just deleted.