The Mac Security Blog

Malware

FakeGPT: Trojanized ChatGPT Chrome extensions hijack Facebook accounts

Posted on by

FakeGPT is one of three new Mac-infecting malware families that came to light in March (the others being MacStealer and SmoothOperator).

Let’s take a look at what FakeGPT does, who’s behind the campaign, and how you can avoid or clean up an infection.

What should I know about FakeGPT?

The FakeGPT malware campaign has consisted of at least four known extensions that were available in Google’s Chrome Web Store. Notably, other Chromium-based browsers such as Microsoft Edge, Brave, and Opera may also be able to run Chrome extensions.

Victims could potentially have happened upon the Trojan horse extensions through a Chrome Web Store search for ChatGPT. However, the FakeGPT malware developers primarily relied on paid advertisements to achieve prominent placement on Facebook (for early campaigns) and Google search results (for the most recent campaign).

The early Facebook ad campaigns redirected the victim to a fake extension called “Quick access to Chat GPT.” In the most recent campaign, reportedly searching Google for the term “Chat GPT 4” could have presented you with an ad at the top of the search results that redirected to a fake version of the extension “ChatGPT for Google.”

What would FakeGPT malware do to an infected system?

Once the FakeGPT extension was installed, it would collect the victim’s Facebook cookies and exfiltrate them to the malware’s distributor. If the victim was logged into Facebook, the exfiltration of these cookies would give the malware maker direct access to the user’s Facebook account, just as if the malware maker had access to the victim’s username, password, and two-factor authentication method—but without all that trouble.

This is because, like most Web sites, Facebook relies on “stay-logged-in cookies.” In Facebook’s case, allowing users to stay logged in indefinitely is an important part of the company’s overall strategy, because it allows Facebook (and its parent company, Meta) to track where else users go on the Internet, which can then be used to push more relevant Facebook ads to the user.

The problem is, if bad guys can get ahold of your cookies and put them on another computer in their control, they will be logged in exactly as though they are you. This allows the attacker to take over and do just about anything you would be able to do with your own account.

Interestingly, this month’s discovery of MacStealer malware brought to light that it, too, has cookie theft capabilities.

MacStealer: Mac Trojan malware steals passwords, wallets, and files

Who is behind this malware?

While it isn’t exactly clear who developed this malware, victims of the first round of fake extensions eventually had ISIS-promoting pictures uploaded to their account by an attacker. This seems to suggest that someone aligned with the Islamic State group may have distributed the malware.

How can one remove or prevent FakeGPT and other Mac malware?

Intego X9 software boxes

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate this malware.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on a wide range of Mac hardware and operating systems, including the latest Apple silicon Macs running macOS Ventura.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from PC malware.

Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from this threat. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple.

How can I learn more?

For additional technical information about FakeGPT malware, you can refer to the first and second detailed write-ups by Nati Tal of Guardio Labs.

We briefly discussed FakeGPT on episode 285 of the Intego Mac Podcast:

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →