A new and sophisticated Android malware, dubbed PromptSpy, has been uncovered by cybersecurity researchers. This threat marks the first known instance of generative AI, namely Google’s Gemini, being used at runtime to enhance a malware's adaptability and persistence on Android devices. The malware notably leverages AI-powered user interface manipulation, making it exceptionally difficult to remove.

Key Takeaways

• PromptSpy is the first Android malware to incorporate Gemini AI for runtime persistence.

• It enables attackers to achieve deep device control and makes the malware harder to remove.

• Evidence suggests targeting of users in Argentina and a possible Chinese origin.

Gemini AI Empowers Malware Persistence

PromptSpy stands out by integrating Google’s generative AI, Gemini, into its operation. The malware sends a natural language prompt and XML data describing the current screen's UI elements to Gemini. The AI responds in real time with JSON instructions that guide the malware on how and where to interact with the Android interface, such as tapping or swiping to pin the malicious app in the “recent apps” list.

This dynamic approach means PromptSpy can adapt to various device layouts, screen sizes, and Android versions—bypassing the limitations of hardcoded scripts or coordinates. The malware saves previous prompts and responses, supporting multi-step, context-aware automation that strengthens its resilience against user attempts to close or uninstall it.

Advanced Surveillance and Control Features

While generative AI powers only its persistence mechanism, PromptSpy’s overall capabilities are extensive:

• Remote Access: It deploys a built-in VNC module, granting attackers full remote control over the device.

• Credential Theft: PromptSpy can capture lockscreen PIN, password, or unlock patterns by recording screen actions.

• Surveillance: The malware can take screenshots and record screen activity as video.

• Device Info Harvesting: It collects device-specific information and reports app activity to its command-and-control server.

Communications with attackers are encrypted, and permissions are escalated through abuse of Android’s Accessibility Services.

Sophisticated Defense Evasion Techniques

To stay resident on infected devices, PromptSpy takes several unique steps:

• Blocking Uninstallation: By overlaying invisible rectangles over buttons like “Uninstall” or “Stop” in the settings menu, it intercepts user attempts to remove it.

• Persistence: The AI-powered interaction ensures the app remains locked in the recent apps list, even after device restarts.

The only effective removal method identified is rebooting the device into Safe Mode, where third-party apps—including the malware—can be safely uninstalled.

Distribution and Suspected Origins

Researchers have not yet observed PromptSpy in widespread attacks, but identified distribution methods suggest targeting users in Argentina. The malware is delivered via deceptive websites mimicking regional banks, asking users to install an app called “MorganArg.” Technical clues, like debug strings in Chinese, point to a likely development origin in a Chinese-speaking environment.

Implications for Mobile Security

PromptSpy’s innovative use of generative AI underscores the rapidly evolving tactics of cybercriminals. By shifting key logic, such as interface navigation, to AI-driven decision-making, malware authors are making threats more adaptive and persistent than ever before. Analysts warn this could set a new precedent for the abuse of AI in mobile malware, underscoring the importance of proactive security measures and vigilance when installing apps from unknown sources.

Sources

• PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence, The Hacker News.

• PromptSpy Android Malware Abuses Gemini AI at Runtime for Persistence, SecurityWeek.

• PromptSpy ushers in the era of Android threats using GenAI, WeLiveSecurity.

• PromptSpy Android Malware Abuses Gemini AI for Advanced Persistence, CXO Digitalpulse.

• PromptSpy: First Android malware to use generative AI in its execution flow, Help Net Security.