A newly discovered Android malware strain, dubbed PromptSpy by ESET researchers, is leveraging Google’s Gemini artificial intelligence chatbot to maintain its persistence on infected devices. This marks the first known instance of AI being actively exploited within Android malware, according to cybersecurity analysts.
PromptSpy’s core innovation lies in its ability to utilize Gemini to analyze the user interface of an Android device and generate instructions for remaining pinned in the recent applications list. This prevents users from easily closing or terminating the malicious application, effectively ensuring its continued operation. “Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list,” explained Lukáš Štefanko, an ESET researcher, in a report released Thursday. “Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims.”
The malware functions by sending Gemini an XML dump of the current screen, detailing each UI element’s text, type, and position. Gemini then responds with JSON instructions outlining the necessary actions – such as taps – to lock the app in the recent apps list. This interaction continues until the app achieves persistence, resisting standard termination methods. The process relies on hard-coding the AI model and a specific prompt within the malware, assigning Gemini the role of an “Android automation assistant.”
Beyond persistence, PromptSpy’s primary objective is to deploy a built-in Virtual Network Computing (VNC) module, granting attackers remote access to compromised devices. It also exploits Android’s accessibility services to hinder uninstallation attempts through the use of invisible overlays. Communication with a command-and-control (C2) server, located at 54.67.2[.]84, occurs via the VNC protocol. The malware is capable of capturing lockscreen data, gathering device information, taking screenshots, and recording screen activity as video, all facilitated through accessibility services and communication with the C2 server.
Researchers believe the campaign is financially motivated, primarily targeting users in Argentina, based on language localization clues and distribution methods. However, analysis of debug strings within the malware indicates its development originated in a Chinese-speaking environment. “PromptSpy is distributed by a dedicated website and has never been available on Google Play,” Štefanko noted.
PromptSpy is considered an evolved version of a previously unidentified Android malware, VNCSpy, with samples first appearing on the VirusTotal platform last month originating from Hong Kong. The malware is delivered through a website, mgardownload[.]com, which presents a dropper disguised as JPMorgan Chase, operating under the name “MorganArg” – a reference to Morgan Argentina. The dropper prompts victims to enable installation of apps from unknown sources, paving the way for PromptSpy’s deployment. The dropper then requests a configuration file from its server, containing a link to download an APK file presented to the victim in Spanish as an update. ESET reported that the configuration server was inaccessible during their research, leaving the exact download URL unknown.
The emergence of PromptSpy underscores a growing trend of threat actors integrating AI tools into their operations, enhancing malware’s adaptability and automating complex tasks. ESET stated that PromptSpy “shows that Android malware is beginning to evolve in a sinister way,” adding that the malware’s reliance on generative AI allows it to adapt to “virtually any device, screen size, or UI layout it encounters.”
Currently, the most effective method for removing PromptSpy is to reboot the infected device into Safe Mode, which disables third-party applications, allowing for uninstallation. The malware’s persistence mechanism, utilizing invisible overlays, prevents standard removal methods.
