These Apps—Known as Fleeceware—Take Advantage of App Store Policy Loopholes and Coercive Tactics to Overcharge Users for AI Assistants

OXFORD, U.K. — Mai 17, 2023 —

Sophos, a global leader in innovating and delivering cybersecurity as a service, today announced that it had uncovered multiple apps masquerading as legitimate, ChatGPT-based chatbots to overcharge users and bring in thousands of dollars a month. As detailed in Sophos X-Ops' latest report, “’FleeceGPT’ Mobile Apps Target AI-Curious to Rake in Cash,” these apps have popped up in both the Google Play and Apple App Store, and, because the free versions have near-zero functionality and constant ads, they coerce unsuspecting users into signing up for a subscription that can cost hundreds of dollars a year.

“Scammers have and always will use the latest trends or technology to line their pockets. ChatGPT is no exception. With interest in AI and chatbots arguably at an all-time high, users are turning to the Apple App and Google Play Stores to download anything that resembles ChatGPT. These types of scam apps—what Sophos has dubbed ‘fleeceware’—often bombard users with ads until they sign up for a subscription. They’re banking on the fact that users won’t pay attention to the cost or simply forget that they have this subscription. They’re specifically designed so that they may not get much use after the free trial ends, so users delete the app without realizing they’re still on the hook for a monthly or weekly payment,” said Sean Gallagher, principal threat researcher, Sophos.

In total, Sophos X-Ops investigated five of these ChatGPT fleeceware apps, all of which claimed to be based on ChatGPT’s algorithm. In some cases, as with the app “Chat GBT,” the developers played off the ChatGPT name to improve their app’s ranking in the Google Play or App Store. While OpenAI offers the basic functionality of ChatGPT to users for free online, these apps were charging anything from $10 a month to $70.00 a year. The iOS version of “Chat GBT,” called Ask AI Assistant, charges $6 a week—or $312 a year—after the three-day free trial; it netted the developers $10,000 in March alone. Another fleeceware-like app, called Genie, which encourages users to sign up for a $7 weekly or $70 annual subscription, brought in $1 million over the past month.

The key characteristics of so-called fleeceware apps, first discovered by Sophos in 2019, are overcharging users for functionality that is already free elsewhere, as well as using social engineering and coercive tactics to convince users to sign up for a recurring subscription payment. Usually, the apps offer a free trial but with so many ads and restrictions, they’re barely useable until a subscription is paid. These apps are often poorly written and implemented, meaning app function is often less than ideal even after users switch to the paid version. They also inflate their ratings in the app stores through fake reviews and persistent requests of users to rate the app before it’s even been used or the free trial ends.

“Fleeceware apps are specifically designed to stay on the edge of what’s allowed by Google and Apple in terms of service, and they don’t flout the security or privacy rules, so they are hardly ever rejected by these stores during review. While Google and Apple have implemented new guidelines to curb fleeceware since we reported on such apps in 2019, developers are finding ways around these policies, such as severely limiting app usage and functionality unless users pay up. While some of the ChatGPT fleeceware apps included in this report have already been taken down, more continue to pop up—and it’s likely more will appear. The best protection is education. Users need to be aware that these apps exist and always be sure to read the fine print whenever hitting ‘subscribe.’ Users can also report apps to Apple and Google if they think the developers are using unethical means to profit,” said Gallagher.

All apps included in the report have been reported to Apple and Google. For users who have already downloaded these apps, they should follow the App or Google Play store’s guidelines on how to “unsubscribe.” Simply deleting the fleeceware app will not void the subscription.

Learn more about these scam ChatGPT apps and how to avoid them in ’FleeceGPT’ Mobile Apps Target AI-Curious to Rake in Cash on Sophos.com

Über Sophos

Sophos ist ein weltweit führender Anbieter von modernsten Sicherheitslösungen zur Abwehr von Cyberangriffen, einschließlich Managed Detection and Response (MDR) und Incident Response Services sowie einem breiten Portfolio an Endpoint-, Netzwerk-, E-Mail- und Cloud-Security-Technologien. Als einer der größten ausschließlich auf Cybersicherheit spezialisierten Anbieter schützt Sophos weltweit mehr als 600.000 Unternehmen und Organisationen und mehr als 100 Mio. Benutzer vor aktiven Angreifern, Ransomware, Phishing, Malware und mehr. Die Services und Produkte von Sophos sind über die Management-Konsole Sophos Central miteinander verbunden und werden vom bereichsübergreifenden Threat-Intelligence-Expertenteam Sophos X-Ops unterstützt. Die Sophos X-Ops Intelligence optimiert das gesamte Sophos Adaptive Cybersecurity Ecosystem. Dieses Ökosystem umfasst einen zentralen Data Lake, der eine Vielzahl offener APIs nutzt, die Kunden, Partnern, Entwicklern und anderen Cybersecurity- und Informationstechnologie-Anbietern zur Verfügung stehen. Sophos bietet Cybersecurity-as-a-Service für Unternehmen und Organisationen an, die vollständig verwaltete Sicherheitslösungen benötigen. Kunden können ihre Cybersicherheit auch direkt mit der Sophos Security-Operations-Plattform verwalten oder einen hybriden Ansatz nutzen, bei dem sie ihre internen Teams mit Sophos-Services ergänzen, einschließlich Threat Hunting und Maßnahmen zur Beseitigung von Bedrohungen. Sophos vertreibt seine Produkte und Services über ein weltweites Netzwerk von Vertriebspartnern und Managed Service Providern (MSPs). Sophos hat seinen Hauptsitz im britischen Oxford. Weitere Informationen finden Sie unter www.sophos.de.