Cybersecurity researchers have identified a novel Android malware strain that leverages Google’s generative artificial intelligence technology to maintain persistence on infected devices and aid remote attackers.
The malicious software, codenamed PromptSpy, is believed to be the first Android threat to incorporate Google Gemini into its execution flow, using the AI model at runtime to interpret on-screen elements and guide automated navigation tasks.
The main goal of PromptSpy is to deploy a built-in VNC module that grants the attackers remote access to the victim’s device. The malware is also designed to take advantage of Android’s accessibility services to prevent it from being uninstalled using invisible overlays. It communicates with a hard-coded command-and-control (C2) server (“54.67.2[.]84”) via the VNC protocol.
“Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system,” ESET researcher Lukáš Štefanko said in a report published today. “Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims.”
Gemini then returns precise instructions, such as where to tap on the screen, enabling the malware to pin itself in the device’s recent apps list and resist user attempts to close or uninstall it. This technique allows the malware to adapt to different device layouts, operating system versions, and user interface changes, vastly expanding its potential reach.
Once established on a device, PromptSpy can capture lock screen data, gather detailed system information, take screenshots, record on-screen video activity and block uninstallation by exploiting Android’s accessibility services. It also incorporates a built-in VNC module that could grant attackers remote access to the compromised device, creating a stealthy command-and-control channel with the threat actor’s server.
The malware’s command-and-control communications are hard-coded and employ encrypted connections, while its use of AI for decision-making shows a significant evolution in how mobile threats are designed. By automating tasks that would normally require complex hard-coded behavior, PromptSpy illustrates how attackers are embracing artificial intelligence to overcome traditional detection and mitigation measures.
Distribution appears to be occurring via external websites rather than legitimate app stores. Analysts note that the initial dropper masquerades as an update or legitimate application, misleading victims into granting permissions that enable the malware to install and activate its malicious components.
PromptSpy makes itself pretty hard to get rid of by placing invisible elements on your screen. The only way for someone to uninstall it is by rebooting their device into Safe Mode, which disables third-party apps and allows for uninstallation. So far, evidence suggests the campaign may be financially motivated, with some indicators pointing to targeting users in specific regions, though definitive attribution and widespread detection have not yet been confirmed.
Security experts advise Android users to exercise caution when installing applications from unknown sources, to maintain updated security software and to restrict app permissions where possible.
