Fake ChatGPT Invites Target Android Users With Malware

March 24, 2026 Faeem BLOGS 0

Cybercriminals are running a phishing campaign that disguises malicious Android apps as beta‑testing opportunities for ChatGPT and Meta advertising tools. What looks like a legitimate app‑testing invitation is actually a scheme to steal Facebook credentials and hijack accounts.

How the Attack Works

  • Phishing emails: Sent from firebase-noreply@google.com, a genuine Google Firebase App Distribution address.
  • Deceptive invites: Users are asked to test early‑access versions of ChatGPT or Meta advertising apps.
  • Malicious APKs: Clicking through installs apps outside the Play Store, bypassing Google’s review process.
  • Credential theft: Apps mimic Facebook login pages to capture usernames and passwords.
  • Targets: Facebook business and advertising accounts, which attackers can exploit for unauthorized ad campaigns or broader fraud.

Campaign Details

  • Cross‑platform operation: Builds on earlier iOS phishing campaigns impersonating ChatGPT and Google Gemini.
  • Malicious package names: com.OpenAIGPTAds, com.opengpt.ads, com.meta.adsmanager.
  • Supporting domains: Attack infrastructure includes thcsmyxa-nd[.]com, moitasec[.]com, tourmini[.]site, ocngongiare[.]com, disanviet[.]homes, and itrekker[.]space.
  • Delivery pipeline: Exploits trust in Firebase App Distribution, making phishing emails indistinguishable from genuine developer invites.

Why This Matters

  • Trusted brands exploited: Attackers leverage the popularity of AI tools like ChatGPT to build credibility.
  • Supply chain abuse: Using Google’s Firebase infrastructure sidesteps common red flags like suspicious sender addresses.
  • Business risk: Compromised Facebook advertising accounts can be weaponized for large‑scale fraud.

Defensive Recommendations

  • Download only from Play Store: Avoid sideloading APKs from email links.
  • Verify invites: Treat unsolicited app‑testing invitations with caution, even if they appear to come from Google.
  • Block malicious domains: Security teams should blacklist identified domains immediately.
  • Educate staff: Train employees to recognize phishing tactics exploiting trusted brands.
  • Credential hygiene: Never enter Facebook credentials into unverified apps.

Final Thought

This campaign shows how attackers are evolving — blending social engineering with trusted infrastructure to bypass user skepticism. For Android users and organizations alike, vigilance is key: if an app invite doesn’t come through official channels, it’s safer to assume it’s a trap

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.