PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence
Source: The Hacker News
Overview
Cybersecurity researchers have discovered what they say is the first Android malware that abuses Gemini, Google’s generative‑AI chatbot, as part of its execution flow and achieves persistence. The malware has been codenamed PromptSpy by ESET. It is equipped to:
- Capture lock‑screen data
- Block uninstallation attempts
- Gather device information
- Take screenshots
- Record screen activity as video
“Gemini is used to analyze the current screen and provide PromptSpy with step‑by‑step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system,” — Lukáš Štefanko, ESET researcher, in the full report.
“Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims.”
How PromptSpy Uses Gemini
- Hard‑coded AI model & prompt – The malware embeds a Gemini prompt that gives the AI the persona of an “Android automation assistant.”
- Screen dump – It sends Gemini a natural‑language prompt together with an XML dump of the current screen, which lists every UI element (text, type, position).
- AI response – Gemini returns JSON instructions (e.g., “tap at X,Y”).
- Action loop – The malware follows the instructions via Android’s accessibility services, repeating the interaction until the app is locked in the recent‑apps list and cannot be terminated.
The ultimate goal is to deploy a built‑in VNC module that grants the attackers remote access. PromptSpy also uses accessibility‑service overlays to hide its presence and prevent uninstallation. Communication with a hard‑coded C2 server (54.67.2[.]84) occurs over the VNC protocol, and the server supplies the Gemini API key, on‑demand screenshots, lock‑screen PIN/password capture, screen‑recording, and pattern‑unlock video capture.
Campaign Details
- Target region: Evidence points to a financially motivated campaign aimed at users in Argentina.
- Origin: Debug strings in simplified Chinese suggest development in a Chinese‑speaking environment.
- Distribution: PromptSpy is delivered via a dedicated website (never on Google Play).
“PromptSpy is distributed by a dedicated website and has never been available on Google Play,” Štefanko added.
Relationship to VNCSpy
PromptSpy appears to be an advanced version of the previously unknown Android malware VNCSpy, whose samples first appeared on VirusTotal last month from Hong Kong.
Dropper & Delivery
- Domain:
mgardownload[.]comhosts a dropper. - Secondary site: The dropper opens a page on
m-mgarg[.]com, masquerading as JPMorgan Chase under the name MorganArg (a nod to Morgan Argentina). - Installation flow:
- Victim runs the dropper.
- The dropper requests permission to install apps from unknown sources.
- It contacts its server for a configuration file that contains a link to an APK presented in Spanish as an “update.”
“During our research, the configuration server was no longer accessible, so the exact download URL remains unknown,” ESET noted.
Significance
The findings illustrate how threat actors are incorporating AI tools into their operations, making malware more dynamic and automating actions that would otherwise require manual scripting or extensive UI‑automation code.
Because PromptSpy prevents itself from being uninstalled by overlaying invisible elements on the screen, the only reliable way for a victim to remove it is to reboot the device in… (the original text cuts off here; the intended conclusion is likely “safe mode” or “recovery mode”).
Safe Mode disables third‑party apps and allows them to be uninstalled.
“PromptSpy shows that Android malware is beginning to evolve in a sinister way,” ESET said. “By relying on generative AI to interpret on‑screen elements and decide how to interact with them, the malware can adapt to virtually any device, screen size, or UI layout it encounters.”
“Instead of hardcoded taps, it simply hands AI a snapshot of the screen and receives precise, step‑by‑step interaction instructions in return, helping it achieve a persistence technique resistant to UI changes.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.