Several fake ChatGPT clone apps have surfaced on the official iOS and Play Stores, collecting user data and sending it to remote servers.
On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc.
ChatGPT, the AI software, has already taken the Internet by storm, and that is why cybercriminals are looking to exploit the opportunity for malicious purposes. But the bigger question is, does ChatGPT have official apps for iOS or Play Store? Short answer: No, but we asked ChatGPT about it.
For your information, Chat Generative Pre-Trained Transformer, aka ChatGPT, is a chatbot launched in November 2022 by OpenAI. It is part of OpenAI’s GPT-3 family of language models and is compatible with both reinforcement and supervised learning techniques.
According to Top10VPN, unofficial clones and fake apps of the ChatGPT chatbot are available on both the Apple App Store and Google Play Store when they search for the term “ChatGPT.”
The researchers analyzed the ten highest-ranking apps, most of which relied on the new ChatGPT-3 technology. They used open-source tools, such as mitmproxy, to examine network traffic in their testing environment and detect risky functionalities in the Android apps’ code.
Moreover, they also analyzed the clone apps’ privacy policies and store pages to understand each app’s data collection and sharing policies.
Collecting Android Data
On Android devices, two clone apps collect/share users’ IP addresses with 3rd parties, whereas one app, identified as ChatGPT AI Writing Assistant with more than 100,000 downloads, tracks/shares location data with ByteDance and Amazon, etc.
Three of these apps ask for permissions that compromise users’ privacy, including recording audio permission, even though in-app speech functions are unavailable.
Moreover, all clone apps feature code with privacy impacts and lack the relevant permissions, including access to location, camera, photos, videos, and read/write storage.
Furthermore, nine apps exploit OpenAI’s GPT-3 technology, which is currently free, and three apps charge for access. One of the apps offers an ad-free tier. The list of malicious Android apps shared by Top10VPN includes the following:
- AI Chat Companion
- ChatGPT 3: Chat GPT AI
- Open AI Chat Gpt – AI 360
- TalkGPT – Talk to ChatGPT
- Open Chat – AI Chatbot App
- ChatGPT AI Writing Assistant
The full list with in-depth details of how and which data these apps collect is available here.
Collecting iOS data
On iOS devices, the ten top-ranked clone apps collected shared data with inadequate privacy protections. Two apps logged Q&A content, and five allowed third-party trackers to fingerprint devices.
According to Top10VPN’s report, more than 300 server requests were launched within four minutes by one app. Seven apps did not follow the data collection practices according to their official privacy labels. Nine apps exploited OpenAI’s GPT-3 technology, and eight apps charged up to $15,000 per year for access.
The list of malicious iOS apps shared by Top10VPN includes the following:
- Open Chat – AI Chatbot
- Alfred – Chat with GPT 3
- Genie – GPT AI Assistant
- TalkGPT – Talk to ChatGPT
- Chat AI: Personal AI Assistant
- Write For Me GPT AI Assistant
- Wisdom Ai – Your AI Assistant
The full list with in-depth details of how and which data these apps collect is available here.
How do These Apps Threaten User Privacy?
All the top-ten ChatGPT apps in the Google Play Store collected shared data with poor privacy protections. The apps shared numerous data points about user devices, such as screen size or network operator.
This may appear harmless on its own, but it can be used for fingerprint devices. Though none of these apps have malicious tendencies, one app was found to be sharing data with ByteDance.
Similarly, many apps are charging the user to access an available free app, which raises ethical concerns. Regarding user data privacy, TalkGPT was the most offensive of all apps, as it tracks users’ precise location data and transfers it to ByteDance, Amazon, Appodeal, AdTech, and InMobi.
It also seeks permission to record audio and collects users’ IP addresses and device fingerprints, which it shares with five third parties, including AdColony, Facebook, Criteo, Everest Technologies, and Google.
In addition, many clone apps mine the personal data of ChatGPT’s userbase, which had exceeded one million users in less than a week of its launch.