PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence

Android Malware “PromptSpy” Hijacks Gemini AI to Stay Hidden and Control Victims’ Devices

In a groundbreaking discovery, cybersecurity researchers have uncovered the first-ever Android malware that leverages Google’s Gemini AI chatbot to enhance its malicious capabilities. Dubbed PromptSpy, this sophisticated threat represents a dangerous new evolution in mobile cybercrime, combining AI-powered automation with traditional malware techniques to evade detection and maintain persistent control over infected devices.

The malware, identified by ESET security researchers, is designed to capture sensitive information, prevent uninstallation, and grant attackers remote access to victims’ Android devices. What makes PromptSpy particularly alarming is its innovative use of Gemini AI to dynamically adapt to different devices, screen layouts, and Android versions—making it far more versatile and harder to detect than conventional malware.

How PromptSpy Works

PromptSpy operates by embedding hard-coded access to Gemini’s AI model and providing it with detailed instructions to act as an “Android automation assistant.” The malware captures an XML dump of the current screen, including every UI element’s text, type, and position, and sends this data to Gemini along with a natural language prompt. Gemini then processes the information and responds with JSON instructions, telling the malware exactly what actions to perform—such as tapping specific buttons or navigating menus—and where to perform them.

This multi-step interaction continues until the malicious app is successfully locked in the device’s recent apps list, preventing it from being easily swiped away or terminated by the system. By leveraging AI in this way, PromptSpy can adapt to virtually any device, screen size, or UI layout, significantly expanding its potential victim pool.

Advanced Capabilities

Once installed, PromptSpy deploys a built-in VNC (Virtual Network Computing) module, granting attackers remote access to the victim’s device. The malware also exploits Android’s accessibility services to overlay invisible elements on the screen, effectively blocking uninstallation attempts. Additionally, it can:

• Capture lockscreen data, including PINs and passwords
• Take screenshots and record screen activity as video
• Gather detailed device information
• Communicate with a command-and-control (C2) server via the VNC protocol

The malware’s ability to interpret on-screen elements and decide how to interact with them makes it highly adaptable and resistant to changes in the user interface. This AI-driven approach allows PromptSpy to execute actions without requiring user input, further enhancing its stealth and effectiveness.

Distribution and Targeting

PromptSpy is distributed through a dedicated website, mgardownload[.]com, and has never been available on the official Google Play Store. The malware is delivered via a dropper that, when installed, opens a web page hosted on m-mgarg[.]com. This page masquerades as JPMorgan Chase, specifically targeting users in Argentina under the name “MorganArg” (a reference to Morgan Argentina).

The dropper instructs victims to grant it permissions to install apps from unknown sources, enabling the deployment of PromptSpy. Once installed, the malware contacts its server to request a configuration file, which includes a link to download another APK, presented to the victim in Spanish as an “update.”

Origins and Development

Interestingly, evidence suggests that PromptSpy was developed in a Chinese-speaking environment, as indicated by the presence of debug strings written in simplified Chinese. The malware is believed to be an advanced version of another previously unknown Android malware called VNCSpy, with samples first uploaded to the VirusTotal platform last month from Hong Kong.

Implications and Mitigation

The discovery of PromptSpy highlights the growing trend of threat actors incorporating AI tools into their operations to make malware more dynamic and adaptable. By automating actions that would otherwise be challenging with conventional approaches, attackers can create more sophisticated and evasive threats.

For victims, removing PromptSpy is not straightforward. The malware prevents itself from being uninstalled by overlaying invisible elements on the screen. The only way to remove it is to reboot the device into Safe Mode, where third-party apps are disabled and can be uninstalled.

Expert Insights

Lukáš Štefanko, a researcher at ESET, emphasized the significance of this discovery: “PromptSpy shows that Android malware is beginning to evolve in a sinister way. By relying on generative AI to interpret on-screen elements and decide how to interact with them, the malware can adapt to virtually any device, screen size, or UI layout it encounters. Instead of hardcoded taps, it simply hands AI a snapshot of the screen and receives precise, step-by-step interaction instructions in return, helping it achieve a persistence technique resistant to UI changes.”

Conclusion

PromptSpy represents a significant leap forward in the evolution of Android malware, demonstrating how AI can be weaponized to create more adaptable and persistent threats. As cybercriminals continue to explore the potential of AI-driven attacks, it is crucial for users to remain vigilant, avoid downloading apps from untrusted sources, and keep their devices updated with the latest security patches.

Tags: Android malware, PromptSpy, Gemini AI, cybersecurity, VNCSpy, mobile threats, AI-driven malware, remote access, lockscreen capture, Argentina, JPMorgan Chase, ESET, VirusTotal, Safe Mode, malware evolution, UI automation, accessibility services, command-and-control server, simplified Chinese, debug strings, financial motivation, web-based distribution, APK dropper, Spanish localization, persistence techniques, screen recording, device information gathering, invisible overlays, multi-step interaction, JSON instructions, XML dump, UI navigation, potential victims, threat actors, generative AI, natural language processing, hard-coded API key, remote control, malicious app, system termination, user input, screen activity, pattern unlock, video capture, financial cybercrime, mobile security, Android automation assistant, step-by-step instructions, recent apps list, conventional malware, AI model, cybersecurity research, malware analysis, malware distribution, malware capabilities, malware mitigation, malware removal, malware targeting, malware development, malware origins, malware implications, malware expert insights, malware conclusion, Android security, mobile device security, Android threat landscape, AI in cybersecurity, AI-powered attacks, AI-driven threats, AI and malware, AI and cybercrime, AI and mobile security, AI and Android, AI and Gemini, AI and automation, AI and adaptability, AI and persistence, AI and evasion, AI and detection, AI and versatility, AI and innovation, AI and evolution, AI and sophistication, AI and stealth, AI and effectiveness, AI and adaptability, AI and resilience, AI and persistence, AI and evasion, AI and detection, AI and versatility, AI and innovation, AI and evolution, AI and sophistication, AI and stealth, AI and effectiveness, AI and adaptability, AI and resilience, AI and persistence, AI and evasion, AI and detection, AI and versatility, AI and innovation, AI and evolution, AI and sophistication, AI and stealth, AI and effectiveness, AI and adaptability, AI and resilience, AI and persistence

,