https://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai
Cybersecurity researchers have identified the first Android malware strain that exploits Google’s Gemini artificial intelligence chatbot to enhance its operational capabilities and maintain persistence on infected devices. The malware, designated PromptSpy by ESET security researchers, represents a significant evolution in mobile threats by integrating generative AI into its execution workflow to adapt dynamically to different device configurations and operating system versions. PromptSpy’s primary functionality includes capturing lockscreen credentials, preventing uninstallation attempts, collecting device information, capturing screenshots, and recording screen activity through video, all while using Gemini to navigate user interfaces intelligently.
The malware’s approach involves hard-coding both the AI model and specific prompts that assign Gemini the role of an Android automation assistant. PromptSpy sends natural language instructions along with XML representations of the current screen layout to Gemini, which then analyses every UI element including text, type, and position coordinates. The AI responds with structured JSON instructions detailing precisely where and how to perform actions such as taps or swipes. This continuous multi-step interaction enables PromptSpy to successfully lock itself in the recent apps list, preventing users from terminating the application through normal means. The malware also deploys a VNC module for remote access and leverages Android accessibility services to create invisible overlays that block uninstallation attempts, communicating with its command-and-control server to receive API keys and execute various surveillance functions including lockscreen interception and pattern capture.
ESET attributes the campaign to financially motivated actors primarily targeting users in Argentina, with evidence suggesting the malware was developed in a Chinese-speaking environment based on debug strings written in simplified Chinese. PromptSpy appears distributed through a dedicated website rather than Google Play, with victims directed to install a dropper that masquerades as JPMorgan Chase under the name MorganArg. The malware is assessed to be an advanced iteration of another previously unknown threat called VNCSpy, first detected in samples uploaded from Hong Kong. ESET warns that PromptSpy demonstrates how threat actors are incorporating AI tools to create more adaptive malware that can automatically adjust to virtually any device configuration or UI layout, with the only effective removal method being to reboot infected devices into Safe Mode where third-party applications can be uninstalled.