Fake ChatGPT Android Apps Deploy Malware, Steal Facebook Credentials
Key Takeaways Cybercriminals are deploying fake Android applications disguised as beta versions of ChatGPT and Meta advertising tools. These malicious apps are distributed via legitimate Google...
Key Takeaways
- Cybercriminals are deploying fake Android applications disguised as beta versions of ChatGPT and Meta advertising tools.
- These malicious apps are distributed via legitimate Google Firebase App Distribution emails, bypassing typical security red flags.
- The campaign aims to steal Facebook credentials by presenting a fake login page, enabling account takeover for fraudulent ad campaigns or data theft.
- This Android operation follows a similar iOS campaign, indicating a coordinated, cross-platform attack strategy.
Sophisticated Phishing Campaign Targets Android Users via Fake AI Apps
Cybersecurity researchers have uncovered a cunning phishing campaign primarily targeting Android users with deceptive applications masquerading as beta versions of popular artificial intelligence platforms. These malicious apps, posing as early access builds for tools like ChatGPT and Meta advertising applications, are designed to harvest sensitive Facebook credentials.
Table Of Content
The operation, identified by SpiderLabs analysts at LevelBlue, represents a direct continuation of an earlier campaign that targeted iOS users. In that previous iteration, attackers leveraged fake ChatGPT and Google Gemini applications to compromise Apple devices, distributing them through the App Store. The shift to Android indicates a broader, cross-platform strategy by threat actors to maximize their reach among mobile users globally.
The campaign first gained public attention in late March 2026. Malicious package names associated with this operation include com.OpenAIGPTAds, com.opengpt.ads, and com.meta.adsmanager. These identifiers are carefully crafted to mimic legitimate naming conventions for AI-driven advertising tools, making their authenticity difficult to dispute without close scrutiny.
Upon installation, the fraudulent applications present a highly convincing replica of a Facebook login page, prompting users to enter their credentials. The ultimate objective is account takeover, granting attackers unauthorized access to Facebook business and advertising accounts, which can then be exploited for illicit ad campaigns or extensive data exfiltration.
Firebase App Distribution Exploited for Malware Delivery
A critical and technically sophisticated element of this campaign is the abuse of Google’s Firebase App Distribution service as a primary malware delivery channel. Firebase App Distribution is a legitimate Google service designed to allow developers to distribute pre-release versions of their applications to a select group of testers.
Attackers exploit the inherent trust users place in these systems. Phishing emails, indistinguishable from genuine developer invitations, originate from the legitimate Google service address, [email protected]. This tactic effectively bypasses common red flags such as suspicious sender addresses or unofficial download links, which users are typically trained to identify.
Because the app delivery is routed through Google’s own infrastructure, conventional email spam filters and a user’s natural caution are unlikely to be triggered. Furthermore, since these applications are installed outside the official Google Play Store, they completely circumvent Google’s stringent review processes, allowing malicious functionalities to reach devices unchecked.
SpiderLabs researchers have also pinpointed several malicious email domains actively supporting this campaign. These include thcsmyxa-nd[.]com, moitasec[.]com, tourmini[.]site, ocngongiare[.]com, disanviet[.]homes, and itrekker[.]space. These domains should be considered active indicators of compromise and blocked immediately at the network level.
What You Should Do
- Exercise Extreme Caution: Treat any unsolicited app-testing invitations with skepticism, even if they appear to originate from trusted sources like Google.
- Download Only from Official Stores: Always download applications exclusively from the official Google Play Store. Avoid installing APKs from third-party websites or direct links in emails.
- Verify Login Prompts: Never enter sensitive credentials, such as Facebook login details, into an application that was not downloaded through a verified, official channel.
- Block Malicious Domains: Network administrators and security teams should immediately block the identified malicious domains (
thcsmyxa-nd[.]com,moitasec[.]com,tourmini[.]site,ocngongiare[.]com,disanviet[.]homes,itrekker[.]space) at the network level. - Educate Staff: Organizations must ensure their employees are fully aware of this specific social engineering tactic and the risks associated with unofficial app installations and phishing attempts.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.