PromptSpy Android Abuses Gemini AI to Change the Persistence of Latest Apps
Cybersecurity researchers have discovered what they say is the first Android malware that exploits Gemini, Google’s generative intelligence (AI) chatbot, as part of its functionality and is gaining persistence.
The malware is codenamed PromptSpy with ESET. The malware is equipped to capture lock screen data, block uninstall attempts, collect device information, take screenshots, and record screen activity as video.
“Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure that the malicious app remains pinned to the recent apps list, thus preventing it from being easily swiped or killed,” ESET researcher Lukáš Štefanko said in a report published today.
“Since Android malware often relies on UI navigation, active generative AI enables threat actors to adapt to any device, build, or OS version, which can greatly expand the pool of potential victims.”
Specifically, this involves hard-coding the AI model and information into the malware, giving the AI agent a human “Android automation assistant.” Sends Gemini natural language information and an XML dump of the current screen that provides detailed information about every UI element, including its text, type, and exact state on display.
Gemini then processes this information and responds with JSON commands that tell the malware what action to perform (eg, tap) and where to perform it. The multi-step interaction continues until the app is successfully locked in the recent apps list and cannot be terminated.
The main goal of PromptSpy is to use the built-in VNC module that gives attackers remote access to the victim’s device. The malware is also designed to take advantage of Android’s accessibility services to prevent it from downloading using invisible overlays. Communicates with the hard-coded command-and-control server (C2) (“54.67.2)[.]84”) via the VNC protocol.
It is important to note that the actions suggested by Gemini are performed through access services, which allow the malware to interact with the device without user input. All of this is accomplished by connecting to the C2 server to get a Gemini API key, taking screenshots where needed, capturing a screen lock pin or password, recording the screen, and capturing the pattern unlock screen as a video.
An analysis of the language localization indicators and the distribution vectors used suggests that the campaign is likely to be financially motivated and targeting Argentinian users. Interestingly, evidence suggests that PromptSpy was developed in a Chinese-speaking environment, as indicated by the presence of debug strings written in simplified Chinese.
“PromptSpy is distributed by a dedicated website and has never been available on Google Play,” said Štefanko.
PromptSpy is being tested as an improved version of another previously unknown Android malware called VNCSpy, samples of which were first uploaded to the VirusTotal site last month from Hong Kong.
The website, “mgardownload[.]com,” is used to deliver the dropper, which when installed and launched, opens a web page hosted on “m-mgrg[.]com.” Impersonates JPMorgan Chase, with the name “MorganArg” referring to Morgan Argentina. The dropper also instructs victims to grant it permissions to install apps from unknown sources in order to uninstall PromptSpy.
“In turn, the Trojan contacts its server to request a configuration file, which includes a link to download another APK, which is presented to the victim, in Spanish, as an update,” ESET said. “During our research, the configuration server was no longer accessible, so the download URL is still unknown.”
The findings show how threat actors are incorporating AI tools into their operations and making malware more efficient, giving them the means to automate actions that would be more challenging through conventional methods.
Because PromptSpy protects itself from being uninstalled by covering things that are not visible on the screen, the only way for the victim to remove it is to restart the device in safe mode, where third-party applications are disabled and cannot be uninstalled.
“PromptSpy shows that Android malware is starting to evolve in a serious way,” ESET said. “By relying on artificial AI to interpret on-screen elements and determine how to interact with them, malware can adapt to virtually any device, screen size, or UI layout it encounters.”
“Instead of hard-coded taps, it simply gives the AI a snapshot of the screen and gets precise, step-by-step instructions in return, helping it find a way to persist against UI changes.”
