Digital scams and phishing attacks are adapting to exploit major trends and events, and the rise of large language models and generative AI is no exception. Sophos, a security firm, has recently issued a warning regarding scammy apps available on Google Play and Apple's App Store. These deceptive apps falsely claim to provide access to OpenAI's chatbot service, ChatGPT, through free trials, only to start charging subscription fees later on.
OpenAI does offer paid versions of GPT and ChatGPT for regular users and developers, but the AI chatbot can be freely accessed on the company's website. The scam apps take advantage of individuals who have heard about this new technology but lack the necessary context to try it themselves. Sophos researchers initially became aware of these scam apps through advertisements in news apps and social networks, but users can also encounter them through searches on Google Play and the App Store.
These scams fall under the category of fleeceware, wherein victims are trapped into paying regular fees without exhibiting explicitly malicious behavior that would trigger removal as malware. When scammers submit their apps for review by Apple and Google, they may not disclose all the subscription pricing details or when users will be required to pay for continued functionality. Later, scammers can adjust their demands without making any changes to the app itself.
Google and Apple provide mechanisms for developers to offer in-app purchases, including one-time fees and recurring charges. These companies earn a portion of the payment every time an app in their stores collects payment from users.
For instance, the Android app "Open Chat GBT" allowed users to download it for free but bombarded them with excessive ads. Users could only try the chatbot three times before losing access and being prompted to subscribe. By default, users were offered a three-day free trial that transitioned into a monthly $10 subscription. The app also provided a $30 annual subscription. The researchers discovered a very similar app under a different name by the same developer in the App Store for iOS.
While some of the fake AI chatbot apps were taken down by Apple and Google after being reported, others remained available. The researchers suspect that some apps utilize OpenAI's ChatGPT 3 API to generate content for users, while others rely on lower-quality chatbot functionalities. Instead of restricting the number of queries, some apps provide truncated responses or snippets until a subscription is initiated.
A major challenge with fleeceware is that users often struggle to manage their subscriptions and fail to realize that deleting an app does not cancel recurring payments. It is crucial for users to actively manage their app subscriptions and understand which services they are being charged for.
Digital scams continue to adapt and exploit emerging technologies. Awareness, vigilance, and active subscription management are essential to protect against these deceptive practices.