Cybercriminals are actively targeting Android users with a sophisticated phishing campaign that exploits the popularity of AI tools like ChatGPT. These malicious actors are distributing malware disguised as beta-testing invitations for ChatGPT and Meta advertising apps, aiming to steal Facebook credentials and gain complete control over user accounts. This tactic highlights a concerning trend of threat actors leveraging the trust placed in prominent AI brands to deliver malware onto mobile devices.
The attack begins with seemingly legitimate invitation emails sent from a genuine Google Firebase App Distribution address. This platform is commonly used by developers to share pre-release app versions, making the emails appear authorized and trustworthy. Clicking on the provided links leads users to download malicious APK files outside the official Google Play Store, bypassing standard security checks.
Hackers Exploit Trust with Fake ChatGPT and Meta App Invites
Security researchers from SpiderLabs at LevelBlue have identified this campaign as a continuation of a previous operation that targeted iOS users by impersonating ChatGPT and Google Gemini via the App Store. The current campaign focuses on Android, indicating a coordinated, cross-platform effort to maximize its reach among global mobile users. The observed malicious package names, such as `com.OpenAIGPTAds`, `com.opengpt.ads`, and `com.meta.adsmanager`, are designed to mimic legitimate advertising tools, making them harder to detect without close inspection.
Once installed, these fake applications present a convincing Facebook login page. The ultimate objective is to capture user credentials, which can then be used to take over Facebook business and advertising accounts. This could lead to unauthorized ad campaigns or broader data theft, causing significant financial and reputational damage to individuals and businesses.
How Firebase App Distribution Becomes the Attack Pipeline
A key technical aspect of this campaign is its exploitation of Google’s Firebase App Distribution service. This service is intended for developers to distribute early versions of their apps to a controlled group of testers. Threat actors are abusing this trust by sending phishing emails that are virtually indistinguishable from legitimate developer invitations. The use of a legitimate Google sender address and distribution channel circumvents common security red flags, such as suspicious sender emails or unofficial download links.
Because the apps are distributed outside of the Google Play Store, they bypass the platform’s review process, allowing malicious code to reach user devices undetected. This method preys on users’ familiarity with app testing programs and their trust in established technology companies.
SpiderLabs has identified several malicious email domains actively involved in this campaign, including `thcsmyxa-nd[.]com`, `moitasec[.]com`, `tourmini[.]site`, `ocngongiare[.]com`, `disanviet[.]homes`, and `itrekker[.]space`. These domains should be considered indicators of compromise, and network administrators are advised to block them immediately to prevent further infections.
Android users should exercise extreme caution with any unsolicited app-testing invitations, even those appearing to originate from Google. The safest practice is to download applications exclusively from the official Google Play Store. Users should refrain from entering Facebook credentials into any app that was not downloaded through a trusted and verified channel. Organizations should prioritize educating their staff about these social engineering tactics and ensure their security protocols are updated to address such evolving threats.