Phishing Emails Spread Fake ChatGPT & Gemini iOS Apps to Steal Facebook Logins
Cybersecurity researchers at Trustwave SpiderLabs have uncovered a phishing campaign that uses fraudulent emails impersonating popular AI platforms ChatGPT and Google Gemini to trick users into downloading malicious iOS applications designed to harvest Facebook credentials.
The campaign targets users by sending deceptive emails that mimic legitimate communications from well-known AI brands. These emails direct recipients to download apps from Apple’s official App Store, lending a false sense of legitimacy to the attack. The apps, disguised as business management or advertising tools, are engineered solely to steal login credentials once installed.
Once a victim clicks the link embedded in the phishing email, they are redirected to what appears to be a genuine App Store listing. The malicious apps branded as AI-powered advertising or business management utilities prompt users to log in with their Facebook accounts upon launch.
This login prompt is a credential harvesting mechanism, capturing usernames and passwords and exfiltrating them to threat actors.
The use of Apple’s App Store as a distribution vector is particularly notable. Attackers leveraged the platform’s trusted reputation to bypass skepticism that users might otherwise apply to third-party download sources. This tactic also complicates detection, as security tools often whitelist traffic to and from official app marketplaces.
The campaign exploits the widespread brand recognition of ChatGPT and Gemini, two of the most widely discussed AI tools globally. By impersonating these platforms, threat actors significantly increase the likelihood of a victim engaging with the phishing email and following through with the download.
According to Spiderlab, Facebook credentials are a high-value target, particularly for attackers focused on business account takeovers. Compromised Facebook accounts can be used to run unauthorized ad campaigns, drain advertising budgets, access business pages, and pivot into broader social engineering operations.
The branding of these fake apps as “ads management” tools directly targets marketers and business owners who routinely manage Facebook Ad accounts.
| Type | Indicator | Context |
|---|---|---|
| Malicious App URL | hxxps://apps[.]apple[.]com/au/app/geminiai-advertising/id6759005662 | Fake Gemini advertising app on App Store |
| Malicious App URL | hxxps://apps[.]apple[.]com/au/app/ads-gpt/id6759514534 | Fake ChatGPT ads management app on App Store |
- Verify app publishers before downloading any app, even from official stores check the developer name and reviews carefully
- Never log into Facebook through a prompt inside an unfamiliar third-party app
- Enable multi-factor authentication (MFA)Â on all Facebook and Meta Business accounts to limit damage from credential theft
- Train employees to recognize phishing emails that spoof AI brand names, especially those urging app downloads
- Report suspicious App Store listings directly to Apple for investigation and removal
Users and organizations that may have downloaded these apps and entered their Facebook credentials should immediately change their passwords, revoke suspicious app permissions from their Meta account security settings, and audit recent ad account activity for unauthorized changes.
Site: https://cybersecuritypath.com
About the Author
