Sophisticated Phishing Campaign Targets iPhone Users via Fake ChatGPT and Gemini Apps on Apple App Store
A highly targeted phishing campaign is exploiting the trust in leading AI brands OpenAI’s ChatGPT and Google’s Gemini to deceive iPhone users into downloading malicious apps from Apple’s official App Store. The attack, uncovered by SpiderLabs, leverages deceptive emails posing as legitimate outreach from these platforms, directing victims to fraudulent applications disguised as AI-powered business or advertising tools.
Two malicious apps GeminiAI Advertising (ID: id6759005662) and Ads GPT (ID: id6759514534) were identified on the Australian App Store storefront. Despite appearing on a trusted platform, the apps lack any genuine functionality. Instead, they immediately present a fake Facebook login screen, harvesting credentials in real time when users attempt to sign in. The stolen data grants attackers access to personal profiles, business ad accounts, and linked pages, amplifying the potential damage.
This campaign marks a tactical evolution in credential theft, bypassing traditional methods like fake websites or malicious attachments in favor of infiltrating an official app marketplace. The use of the App Store perceived as a secure environment significantly lowers user skepticism, making the attack more effective. While the apps were hosted on the Australian storefront, the phishing emails targeted global users, particularly business professionals, marketers, and social media managers.
The attack chain begins with a convincing email, reinforcing legitimacy at each step from the sender’s display name to the App Store listing. Once installed, the apps exploit this trust by mimicking Facebook’s login interface, leaving victims unaware of the compromise. The incident underscores the challenges of vetting applications on large-scale distribution platforms, even those with rigorous review processes.
Indicators of Compromise (IoCs):
- GeminiAI Advertising:
hxxps[://]apps[.]apple[.]com/au/app/geminiai-advertising/id6759005662 - Ads GPT:
hxxps[://]apps[.]apple[.]com/au/app/ads-gpt/id6759514534Source: https://cybersecuritynews.com/phishing-emails-push-fake-chatgpt/
OpenAI cybersecurity rating report: https://www.rankiteo.com/company/openai
Google cybersecurity rating report: https://www.rankiteo.com/company/google
Facebook for Business cybersecurity rating report: https://www.rankiteo.com/company/facebookforbusiness
Apple cybersecurity rating report: https://www.rankiteo.com/company/apple
"id": "OPEGOOFACAPP1772800304",
"linkid": "openai, google, facebookforbusiness, apple",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Global users (particularly '
'business professionals, '
'marketers, and social media '
'managers)',
'industry': 'Technology',
'location': 'Australia',
'name': 'Apple App Store (Australian storefront)',
'type': 'App Distribution Platform'},
{'industry': 'Various (targeted: business '
'professionals, marketers, social media '
'managers)',
'location': 'Global',
'name': 'Victims (iPhone users)',
'type': 'Individuals/Businesses'}],
'attack_vector': 'Malicious Apps (Apple App Store)',
'data_breach': {'data_exfiltration': 'Yes (credentials harvested in real '
'time)',
'personally_identifiable_information': 'Yes (Facebook '
'credentials, personal '
'profiles)',
'sensitivity_of_data': 'High (personal profiles, business ad '
'accounts, linked pages)',
'type_of_data_compromised': 'Credentials (Facebook login '
'details)'},
'description': 'A highly targeted phishing campaign is exploiting the trust '
'in leading AI brands OpenAI’s ChatGPT and Google’s Gemini to '
'deceive iPhone users into downloading malicious apps from '
'Apple’s official App Store. The attack leverages deceptive '
'emails posing as legitimate outreach from these platforms, '
'directing victims to fraudulent applications disguised as '
'AI-powered business or advertising tools. The malicious apps '
'harvest Facebook credentials in real time, granting attackers '
'access to personal profiles, business ad accounts, and linked '
'pages.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'affected businesses and individuals',
'data_compromised': 'Facebook credentials, personal profiles, '
'business ad accounts, linked pages',
'identity_theft_risk': 'High (stolen Facebook credentials)',
'operational_impact': 'Unauthorized access to business ad accounts '
'and social media pages',
'systems_affected': 'iPhone devices with malicious apps installed'},
'initial_access_broker': {'entry_point': 'Deceptive emails, malicious App '
'Store apps',
'high_value_targets': 'Business professionals, '
'marketers, social media '
'managers'},
'lessons_learned': 'The incident underscores the challenges of vetting '
'applications on large-scale distribution platforms, even '
'those with rigorous review processes. Trust in official '
'app marketplaces can be exploited to lower user '
'skepticism.',
'motivation': 'Credential theft, financial gain, access to business ad '
'accounts',
'post_incident_analysis': {'root_causes': 'Exploitation of trust in official '
'app marketplaces, deceptive email '
'outreach, lack of user skepticism '
'due to App Store presence'},
'recommendations': 'Enhanced vetting of apps on official marketplaces, user '
'education on phishing risks, multi-factor authentication '
'for critical accounts, and monitoring for unauthorized '
'access to business ad accounts.',
'references': [{'source': 'SpiderLabs',
'url': 'hxxps[://]apps[.]apple[.]com/au/app/geminiai-advertising/id6759005662'},
{'source': 'SpiderLabs',
'url': 'hxxps[://]apps[.]apple[.]com/au/app/ads-gpt/id6759514534'}],
'response': {'third_party_assistance': 'SpiderLabs (uncovered the attack)'},
'title': 'Sophisticated Phishing Campaign Targets iPhone Users via Fake '
'ChatGPT and Gemini Apps on Apple App Store',
'type': 'Phishing',
'vulnerability_exploited': 'Trust in official app marketplaces, deceptive '
'email outreach'}