Cybersecurity researchers have uncovered a sophisticated Android malware, named PromptSpy, that leverages Google’s generative AI chatbot Gemini to automate actions and ensure persistence on infected devices. This marks one of the first known cases of malware incorporating generative AI into its operational flow.
How PromptSpy Operates
PromptSpy is capable of:
- Capturing lockscreen credentials
- Blocking uninstallation attempts
- Collecting device information
- Taking screenshots and recording screen activity
- Maintaining presence in the recent apps list
According to Lukáš Štefanko, Gemini is used to analyze the current screen and generate step-by-step instructions, guiding the malware to stay pinned in the recent apps list so it cannot be swiped away or terminated.
The malware includes a hard-coded AI model and prompt, assigning Gemini the persona of an “Android automation assistant.” It sends Gemini an XML dump of the screen, detailing UI elements, text, type, and position. Gemini then responds with JSON instructions, such as where and how to tap, until the app is securely locked in the recent apps list.
Persistence and Remote Access
The primary goal of PromptSpy is to deploy a VNC module granting remote access to the attacker. The malware also uses Android’s accessibility services to avoid uninstallation, overlaying invisible elements on the screen. It communicates with a hard-coded command-and-control (C2) server at 54.67.2[.]84 via the VNC protocol to retrieve configuration, API keys, and trigger actions like:
- Screenshots and video recording
- Capturing lockscreen PINs and pattern unlocks
- Intercepting user interactions
This AI-driven automation enables the malware to adapt to different devices, UI layouts, and Android versions, significantly expanding the pool of potential victims.
Distribution and Targeting
PromptSpy appears to target financially motivated victims in Argentina. Its development environment shows signs of Chinese origin, as indicated by simplified Chinese debug strings. It has never been distributed on Google Play and is delivered through a dedicated website, mgardownload[.]com. Victims are lured via a dropper masquerading as JPMorgan Chase (“MorganArg”) and are prompted to grant permissions to install apps from unknown sources.
The malware is considered an advanced iteration of a previously unknown Android threat called VNCSpy. Victims must reboot their devices into Safe Mode to uninstall PromptSpy due to its persistent overlay techniques.
Significance
ESET researchers note that PromptSpy demonstrates a new evolution in Android malware:
- Generative AI is used to interpret on-screen elements and automate interactions
- Persistence mechanisms are no longer dependent on hard-coded taps
- Malware can adapt to virtually any device, screen size, or UI layout
By integrating AI into its execution, PromptSpy shows how attackers are making malware more resilient and dynamic, creating challenges for traditional detection and removal strategies.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
