Skip to content

Hackers clone ChatGPT to steal credentials, push Windows and Android malware

  • by
  • 2 min read

As is the trend with modern hackers, they’re starting to exploit ChatGPT’s popularity to spread Windows and Android malware, redirect users to phishing pages and attempt to steal their business credentials. ChatGPT has gained massive popularity since its November 2022 launch, forcing OpenAI to launch a $20/month paid tier.

This allowed hackers to exploit users looking for a way to access the premium version of ChatGPT for free. Security researcher Dominic Alvieri was one of the first to point this out in a tweet after discovering a URL infecting users with the Redline info-stealing malware under the pretence of downloading a ChatGPT Windows client. 

The URL Alvieri found was being promoted by a Facebook page that used official ChatGPT logos to appear more legitimate and trick unsuspecting users into visiting the malicious domain. Alvieri also found fake ChatGPT Android apps on the Google Play Store and third-party Android app stores.

Researchers at Cyble followed up with this finding more domains that spread clipboard-stealing malware in addition to the Aurora and Lumma stealers. Other domains included in Cyble’s tests were distributing unknown malware families and credit card information under the guise of a payment portal for ChatGPT Plus. 

Overall, Cyble found over 50 malicious apps using ChatGPT’s icon and similar naming to hack into victims’ devices. Two prominent examples include ChatGPT1, an SMS billing fraud app and AI Photo, an app containing the Spynote malware with call logs, contact lists, SMS and file stealing capabilities. 

A fake ChatGPT website offering a Windows client that infects users with the Fobo trojan. | Source: Kaspersky

Finally, a report from Kaspersky highlights another campaign that uses social media impersonation and similar tactics as highlighted by Cyble and Alvieri to sign users up for a premium version of ChatGPT which basically ends up infecting users with Fobo, another info-stealing trojan.

The trojan looks for business account credentials and can be used for follow-up attacks on larger-scale organisations. According to Kaspersky, this campaign has already spread to the Americas, Africa, Asia and Europe. 

In the News: Cybercriminals are selling data of several Fortune 500 companies

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: