The explosive growth of artificial intelligence has created an unexpected security threat as cybercriminals exploit ChatGPT’s popularity through counterfeit mobile applications.
Recent security research uncovered sophisticated malicious apps masquerading as legitimate ChatGPT interfaces, designed to harvest sensitive user data and monitor digital activities without consent.
These fraudulent applications have infiltrated third-party app stores, targeting users seeking convenient access to AI-powered chatbots.
The malicious applications employ convincing branding techniques that mirror authentic ChatGPT interfaces, complete with recognizable logos and functional designs.
Once installed, these trojanized apps execute hidden surveillance routines while maintaining the appearance of working AI assistants.
The threat intensifies as millions worldwide download unofficial AI applications from unverified sources, unaware of embedded spyware compromising their devices.
Appknox analysts identified these malicious ChatGPT clones during comprehensive mobile security research examining AI-themed applications across distribution platforms.
The security team discovered that threat actors weaponize brand trust as an attack vector, exploiting widespread ChatGPT familiarity to compromise user devices.
Analysis revealed these counterfeits implement full malware frameworks capable of persistent surveillance and credential theft.
Technical examination showed network communications masked through domain fronting using legitimate cloud infrastructure from Amazon Web Services and Google Cloud.
This sophisticated obfuscation allows malicious traffic to blend with normal communications, evading security detection.
Infection Mechanism and Data Exfiltration
The malware deployment begins with convincing app store listings featuring polished graphics and descriptions promising enhanced ChatGPT functionality.
Upon installation, malicious applications request extensive permissions including SMS access, contact databases, call logs, and account credentials.
These requests appear legitimate, masking true surveillance capabilities. Analysis revealed code obfuscation using the Ijiami packer to encrypt malicious payloads.
Decompiled packages contained folders labeled “secondary-program-dex-jars” housing executables that decrypt after installation—characteristic trojan loader signatures.
The malware maintains persistence through embedded native libraries ensuring background execution continues after users close the interface.
Network logs demonstrated systematic exfiltration targeting one-time passwords, banking verification codes, and address book contents.
Stolen credentials enable attackers to intercept multi-factor authentication and infiltrate corporate systems. Researchers noted these techniques parallel established spyware families including Triout and AndroRAT.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
