Sophos, a global leader in innovating and delivering cybersecurity as a service, announced that it had uncovered multiple apps masquerading as legitimate, ChatGPT-based chatbots to overcharge users and bring in thousands of dollars a month. As detailed in Sophos X-Ops’ latest report, ââFleeceGPTâ Mobile Apps Target AI-Curious to Rake in Cash,â these apps have popped up in both the Google Play and Apple App Store, and, because the free versions have near-zero functionality and constant ads, they coerce unsuspecting users into signing up for a subscription that can cost hundreds of dollars a year.
âScammers have and always will use the latest trends or technology to line their pockets. ChatGPT is no exception. With interest in AI and chatbots arguably at an all-time high, users are turning to the Apple App and Google Play Stores to download anything that resembles ChatGPT. These types of scam appsâwhat Sophos has dubbed âfleecewareââoften bombard users with ads until they sign up for a subscription. Theyâre banking on the fact that users wonât pay attention to the cost or simply forget that they have this subscription. Theyâre specifically designed so that they may not get much use after the free trial ends, so users delete the app without realizing theyâre still on the hook for a monthly or weekly payment,â said Sean Gallagher, principal threat researcher, Sophos.
In total, Sophos X-Ops investigated five of these ChatGPT fleeceware apps, all of which claimed to be based on ChatGPTâs algorithm. In some cases, as with the app âChat GBT,â the developers played off the ChatGPT name to improve their appâs ranking in the Google Play or App Store. While OpenAI offers the basic functionality of ChatGPT to users for free online, these apps were charging anything from $10 a month to $70.00 a year. The iOS version of âChat GBT,â called Ask AI Assistant, charges $6 a weekâor $312 a yearâafter the three-day free trial; it netted the developers $10,000 in March alone. Another fleeceware-like app, called Genie, which encourages users to sign up for a $7 weekly or $70 annual subscription, brought in $1 million over the past month.
The key characteristics of so-called fleeceware apps, first discovered by Sophos in 2019, are overcharging users for functionality that is already free elsewhere, as well as using social engineering and coercive tactics to convince users to sign up for a recurring subscription payment. Usually, the apps offer a free trial but with so many ads and restrictions, theyâre barely useable until a subscription is paid. These apps are often poorly written and implemented, meaning app function is often less than ideal even after users switch to the paid version. They also inflate their ratings in the app stores through fake reviews and persistent requests of users to rate the app before itâs even been used or the free trial ends.
âFleeceware apps are specifically designed to stay on the edge of whatâs allowed by Google and Apple in terms of service, and they donât flout the security or privacy rules, so they are hardly ever rejected by these stores during review. While Google and Apple have implemented new guidelines to curb fleeceware since we reported on such apps in 2019, developers are finding ways around these policies, such as severely limiting app usage and functionality unless users pay up. While some of the ChatGPT fleeceware apps included in this report have already been taken down, more continue to pop upâand itâs likely more will appear. The best protection is education. Users need to be aware that these apps exist and always be sure to read the fine print whenever hitting âsubscribe.â Users can also report apps to Apple and Google if they think the developers are using unethical means to profit,â said Gallagher.
All apps included in the report have been reported to Apple and Google. For users who have already downloaded these apps, they should follow the App or Google Play storeâs guidelines on how to âunsubscribe.â Simply deleting the fleeceware app will not void the subscription.