A recent phishing campaign has emerged, targeting iPhone users by impersonating trusted AI brands, ChatGPT by OpenAI and Google’s Gemini. The attackers are sending fraudulent emails to trick recipients into downloading counterfeit applications from Apple’s App Store.
Deceptive Tactics in Phishing Emails
This operation distinguishes itself by exploiting the credibility of well-known AI platforms. The malicious apps are not merely disguised as random utilities; they are wrapped in the guise of professional tools used by millions daily. Once downloaded, these applications harvest Facebook login credentials from unsuspecting users.
The attack initiates with emails crafted to mimic official communications from ChatGPT or Gemini. These messages, aimed at business users and marketers, present the fake apps as tools for advertising management or AI-powered business solutions.
Exploiting Trust in the App Store
The emails contain direct links to listings on Apple’s App Store, a platform users inherently trust. This trust is crucial to the campaign’s success, as few people question an app that appears properly listed on an official platform. SpiderLabs analysts uncovered two fraudulent apps: GeminiAI Advertising (id6759005662) and Ads GPT (id6759514534), both hosted in the Australian App Store.
Upon launching these apps, users are met not with AI functionalities but with a fake Facebook login screen, prompting them to enter their credentials. The attackers bypass genuine onboarding processes, creating a seamless illusion of legitimacy.
Implications of the Credential Theft
This campaign marks a notable shift in tactics among threat actors, who now infiltrate official marketplaces rather than relying on fake websites or malicious attachments. The appearance of these apps on Apple’s platform, even briefly, underscores the challenges of vetting every application in large-scale digital distribution systems.
The phishing scheme relies on a chain of trust established before users even open the fake apps. Emails purporting to be from recognized AI platforms set expectations of legitimacy, leading victims through multiple credibility checkpoints.
Protecting Against Phishing Attacks
Users receiving unsolicited emails promoting AI apps should verify the sender’s actual email address instead of relying solely on the display name. Checking developer names, reading user reviews, and scrutinizing app descriptions can reveal potential fraud. Enabling two-factor authentication on social media accounts adds a layer of protection.
Organizations should promote awareness of such phishing campaigns, encouraging employees to report suspicious emails, regardless of the impersonated brand’s familiarity.
