These Apps Known as Fleeceware Take Advantage of App Store Policy Loopholes and Coercive Tactics to Overcharge Users for AI Assistants
Sophos has uncovered multiple apps masquerading as legitimate, ChatGPT-based chatbots to overcharge users and bring in thousands of dollars a month. As detailed in Sophos X-Ops’ latest report, “’FleeceGPT’ Mobile Apps Target AI-Curious to Rake in Cash,” these apps have popped up in both the Google Play and Apple App Store, and, because the free versions have near-zero functionality and constant ads, they coerce unsuspecting users into signing up for a subscription that can cost hundreds of dollars a year.
“Scammers have and always will use the latest trends or technology to line their pockets.” ChatGPT is no exception. Amid high interest in AI and chatbots, users are increasingly relying on the Apple App and Google Play Stores to find ChatGPT-like apps. Exploiting this trend, scam apps labeled as ‘fleeceware’ bombard users with ads until they subscribe. These apps are intentionally designed to become useless after the free trial, leading users to unknowingly continue paying for a subscription even after deleting the app. Sean Gallagher, principal threat researcher at Sophos, highlights the risk associated with users disregarding the cost or forgetting about their subscriptions.
In total, Sophos X-Ops investigated five of these ChatGPT fleeceware apps, all of which claimed to be based on ChatGPT’s algorithm. In some cases, as with the app “Chat GBT,” the developers played off the ChatGPT name to improve their app’s ranking in the Google Play or App Store. While OpenAI offers the basic functionality of ChatGPT to users for free online, these apps were charging anything from $10 a month to $70.00 a year. The iOS version of “Chat GBT,” called Ask AI Assistant, charges $6 a week—or $312 a year—after the three-day free trial; it netted the developers $10,000 in March alone. Another fleeceware-like app, called Genie, which encourages users to sign up for a $7 weekly or $70 annual subscription, brought in $1 million over the past month.
The key characteristics of so-called fleeceware apps, first discovered by Sophos in 2019, are overcharging users for functionality that is already free elsewhere, as well as using social engineering and coercive tactics to convince users to sign up for a recurring subscription payment. The apps typically provide a free trial, but they become barely usable until users pay a subscription due to numerous ads and restrictions. Developers often poorly write and implement these apps, resulting in suboptimal app functionality even after users transition to the paid version. Additionally, they inflate their ratings in the app stores by using fake reviews and persistently asking users to rate the app before they have even used it or before the free trial concludes.
“Fleeceware apps push the boundaries of Google and Apple’s service guidelines while avoiding security and privacy violations, allowing them to pass through the review process with minimal rejections. Despite efforts by Google and Apple to combat fleeceware since 2019, developers have found loopholes, such as limiting app functionality unless users pay. While some ChatGPT-related fleeceware apps mentioned in this report have been removed, new ones continue to emerge, indicating the likelihood of more appearing. The key defense against fleeceware is user education. Users should be aware of these apps and carefully read subscription details. Reporting unethical developers to Apple and Google is also recommended,” stated Gallagher.
We have reported all the apps included in the report to Apple and Google. For users who have already downloaded these apps, they should follow the App or Google Play store’s guidelines on how to “unsubscribe.” Simply deleting the fleeceware app will not void the subscription.