Cybercriminals are increasingly targeting Android users through a sophisticated phishing campaign that masquerades as app-testing invitations for popular AI tools like ChatGPT and Meta advertising applications. This scheme, aimed at stealing Facebook credentials, highlights the growing trend of exploiting trusted AI brands to distribute malware on mobile devices.
Phishing Scheme Details
The attack commences with an email invitation that seems legitimate, sent from [email protected], a genuine address associated with Google’s Firebase App Distribution service. This platform is typically used by developers to share pre-release app builds with testers, making the invitation appear credible to recipients.
These emails prompt users to test early-access versions of ChatGPT and Meta advertising apps for Android. Upon clicking the invite, users unknowingly install malicious APK files from outside the Google Play Store, putting their devices at risk.
Cross-Platform Targeting
Researchers at SpiderLabs identified this Android-targeted campaign as an extension of a previous phishing operation that targeted iOS users by impersonating ChatGPT and Google Gemini. The current attack is a coordinated effort to deceive mobile users across different platforms globally, leveraging similar tactics to reach a vast audience.
The campaign, which came to light in March 2026, uses deceptive package names like com.OpenAIGPTAds and com.meta.adsmanager to mask its malicious intent. Once installed, these apps mimic Facebook login pages to capture user credentials, allowing attackers to gain unauthorized access to Facebook business accounts.
Firebase as a Malware Delivery Channel
A notable aspect of this campaign is its use of Firebase App Distribution as a conduit for malware. This service, intended for legitimate app testing, is exploited by attackers who take advantage of testers’ trust in Google’s infrastructure. The emails mimic authentic developer invites, making it difficult for recipients to detect the scam.
Since the emails originate from a trusted Google address and the apps are distributed through Google’s system, users and spam filters are less likely to suspect malicious intent. This method bypasses Google Play Store’s security checks, allowing the malware to be installed without scrutiny.
Security teams have also flagged several domains linked to the campaign, including thcsmyxa-nd[.]com and moitasec[.]com, advising immediate blocking to prevent potential breaches.
Protective Measures for Users
To safeguard against such threats, Android users should be cautious of unsolicited app-testing invites, even those appearing to be from Google. Applications should only be downloaded from the official Google Play Store, and users should avoid entering Facebook credentials in unverified apps.
Network administrators are advised to block the identified malicious domains, and organizations should educate their members on this prevalent form of social engineering. Remaining vigilant against these threats is crucial for maintaining mobile security.
