PromptSpy Android Malware Exploits Gemini AI to Maintain Persistence on Infected Devices

This Android Malware Connects to Google Gemini for Tips on Hacking Targets

Security researchers have uncovered an Android malware that connects to Google's Gemini chatbot to help it persist on an infected device. The malware appears to be targeting users in Argentina, and there are signs that a hacker in China developed its code, according to antivirus provider ESET. "We discovered the first known Android malware to abuse generative AI in its execution flow," adds ESET researcher Lukas Stefanko. The malware has been dubbed "PromptSpy" because it sends predefined prompts to Gemini's API, ultimately installing a module that allows hacker-enabled remote access to the Android device. ESET says the Gemini component of the malware is relatively minor, but it performs an important function by leveraging Google's chatbot tech to interpret the user interface on an infected Android device. "Specifically, Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system," ESET wrote in the report. "Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims." The company traced the malware to a phishing site at "m-mgarg[.]com," which appeared to be delivering PromptSpy through a related domain "mgardownload[.]com." Both domains were found offline. However, ESET spotted evidence that sites were dressed up to impersonate the JPMorgan Chase Argentina banking brand. "The malware uses similar branding, with the app name MorganArg and the icon inspired by Chase Bank," the company added. " MorganArg, likely a shorthand for 'Morgan Argentina,' also appears as the name of the cached website, suggesting a regional targeting focus." ESET discovered PromptSpy after samples of the malware were uploaded from Argentina to Google's malware-checking service, VirusTotal, earlier this month. The first stage of the attack prompts the user to grant permission to install the malicious app MorganArg. If permission is granted, the attack will then contact a hacker-controlled server to install the remaining malware. This includes a Virtual Networking Computing module while requesting Accessibility Service permissions, enabling the hacker's remote access to the Android device. "This allows the malware operators to see everything happening on the device, and to perform taps, swipes, gestures, and text input as though they were physically holding the phone," ESET says, noting the malware can also intercept the lockscreen PIN and record the user's screen. Removing the malware is difficult. PromptSpy has been designed to overlay "transparent rectangles on specific screen areas" that are invisible to the user and can block taps on the uninstall and force stop functions to shut down the MorganArg app. "The only way for a victim to remove it is to reboot the device into Safe Mode, where third‑party apps are disabled and can be uninstalled normally," ESET said. The computer code for PromptSpy also contains Chinese language, suggesting a hacker from China was behind its creation. "It should be noted that we haven't yet seen any samples of the PromptSpy dropper or its payload in our telemetry, which might indicate that both of them are just proofs of concept," ESET said. Still, the phishing site m-mgarg[.]com suggests that PromptSpy may already have been targeting select users in Argentina. PromptSpy is the latest malware attack to harness generative AI. In November, Google warned about two Windows-based malware strains dubbed "Promptflux" and "Promptsteal" that will also connect to generative AI models to execute instructions. In addition, Anthropic recently discovered hackers using its Claude AI chatbot to help plan large-scale data extortion campaigns and to develop ransomware. ESET adds that it never found the PromptSpy malware on the Google Play Store. "As an App Defense Alliance partner, we nevertheless shared our findings with Google. Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services." Google didn't immediately respond to a request for comment. But the company has likely revoked the malware's access to Gemini.

Android malware taps Gemini to navigate infected devices

Cybersecurity researchers say they've spotted the first Android malware strain that uses generative AI to improve performance once installed. But it may be only a proof of concept. ESET calls it PromptSpy, malware whose primary goal is to deploy a VNC module that hands hackers remote control of infected devices. The Slovak security shop's experts said PromptSpy comes with capabilities to instruct Google's Gemini chatbot to interpret parts of the device's user interface using natural language prompts. These prompts allow the malware to examine the user interface, which then informs the gestures it needs to execute on the device in order to keep the malicious app pinned to its recent apps list. Lukas Stefanko, malware researcher at ESET, said the use of GenAI amounts to only a small portion of the malware's toolkit, but allows it to adapt to different devices. "The AI model and prompt are predefined in the code and cannot be changed," he wrote. "Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims." Android malware usually relies on taps, coordinates, and UI selectors to execute tasks, but these have a tendency to break when running on different devices, which makes the use of Gemini a clever way to bypass this common issue. PromptSpy submits a natural language prompt to Gemini, together with an XML dump of the device's current screen, and the chatbot returns JSON instructions for what action to perform and where to perform it to keep the app pinned in the user's recents list. This process repeats until Gemini tells PromptSpy that the app is in position. ESET found versions of PromptSpy uploaded to VirusTotal in January, with the Gemini-assisted strains submitted from Argentina. Analysis of the app's code suggests it was developed by Chinese speakers to assist financially motivated cybercriminals. Stefanko said PromptSpy has not yet appeared in any of ESET's telemetry findings, suggesting it remains a proof of concept. However, the team found what appears to be a distribution domain, which could suggest it is being used to support real-world attacks. The domains ESET investigated are now offline, but cached versions revealed they were likely trying to imitate a Chase Bank website. PromptSpy is not on the Google Play Store, and given Google's recent clampdown on sideloading apps, it's unclear how the attackers planned to get the app loaded onto devices. Once installed, the app can intercept lockscreen PINs or passwords, capture the pattern unlock screen as a video, record the screen and user's gestures, and take screenshots in addition to the Gemini interactions. It also works to prevent the user from uninstalling the app or force-quitting it by placing transparent boxes over screen elements. The boxes are invisible to the user, who would press the button's location on the screen, only for nothing to happen. The only way to uninstall it is to reboot the device in safe mode, where third-party apps are blocked, and then go through the usual uninstall routine. "PromptSpy shows that Android malware is beginning to evolve in a sinister way," said Stefanko. "By relying on generative AI to interpret on‑screen elements and decide how to interact with them, the malware can adapt to virtually any device, screen size, or UI layout it encounters. "More broadly, this campaign shows how generative AI can make malware far more dynamic and capable of real‑time decision‑making. PromptSpy is an early example of generative AI‑powered Android malware, and it illustrates how quickly attackers are beginning to misuse AI tools to improve impact." The finding follows ESET's work to unearth PromptLock, which it says is the first AI-powered ransomware payload. As revealed in an interview with The Register, PromptLock's code was uploaded by the developers to VirusTotal, only to check if it would get past modern defense mechanisms. A team of engineers at New York University worked up the code as part of a research project they hoped would land them a speaking spot at security conferences. The binary stayed in VirusTotal for some time before ESET found it. Bemused when the news reports circulated following ESET's blog post outlining PromptLock, the NYU students contacted the Slovak security company to say that the malware was just a proof of concept. Md Raz, one of the students and doctoral candidates behind PromptLock, "couldn't believe it" when he realized that people were writing about his work. After receiving Raz et al's message, ESET updated a Xeet to note that its finding was a mere research project, one that wouldn't function outside of a lab. "This supports our belief that it was a proof of concept rather than fully operational malware deployed in the wild," the company said. "Nonetheless, our findings remain valid - the discovered samples represent the first known case of AI-powered ransomware." ®

PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence

Cybersecurity researchers have discovered what they say is the first Android malware that abuses Gemini, Google's generative artificial intelligence (AI) chatbot, as part of its execution flow and achieves persistence. The malware has been codenamed PromptSpy by ESET. The malware is equipped to capture lockscreen data, block uninstallation efforts, gather device information, take screenshots, and record screen activity as video. "Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system," ESET researcher Lukáš Štefanko said in a report published today. "Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims." Specifically, this involves hard-coding the AI model and a prompt in the malware, assigning the AI agent the persona of an "Android automation assistant." It sends Gemini a natural language prompt along with an XML dump of the current screen that gives detailed information about every UI element, including its text, type, and exact position on the display. Gemini then processes this information and responds with JSON instructions that tell the malware what action to perform (e.g., a tap) and where to perform it. The multi-step interaction continues until the app is successfully locked in the recent apps list and cannot be terminated. The main goal of PromptSpy is to deploy a built-in VNC module that grants the attackers remote access to the victim's device. The malware is also designed to take advantage of Android's accessibility services to prevent it from being uninstalled using invisible overlays. It communicates with a hard-coded command-and-control (C2) server ("54.67.2[.]84") via the VNC protocol. It's worth noting that the actions suggested by Gemini are executed through accessibility services, allowing the malware to interact with the device without user input. All of this is accomplished by communicating with the C2 server to receive the Gemini API key, take screenshots on demand, intercept lockscreen PIN or password, record screen, and capture the pattern unlock screen as a video. An analysis of the language localization clues and the distribution vectors used suggests that the campaign is likely financially motivated and targets users in Argentina. Interestingly, evidence shows that PromptSpy was developed in a Chinese‑speaking environment, as indicated by the presence of debug strings written in simplified Chinese. "PromptSpy is distributed by a dedicated website and has never been available on Google Play," Štefanko said. PromptSpy is assessed to be an advanced version of another previously unknown Android malware called VNCSpy, samples of which were first uploaded to the VirusTotal platform last month from Hong Kong. The website, "mgardownload[.]com," is used to deliver a dropper, which, when installed and launched, opens a web page hosted on "m-mgarg[.]com." It masquerades as JPMorgan Chase, going by the name "MorganArg" in reference to Morgan Argentina. The dropper also instructs victims to grant it permissions to install apps from unknown sources to deploy PromptSpy. "In the background, the Trojan contacts its server to request a configuration file, which includes a link to download another APK, presented to the victim, in Spanish, as an update," ESET said. "During our research, the configuration server was no longer accessible, so the exact download URL remains unknown." The findings illustrate how threat actors are incorporating AI tools into their operations and make malware more dynamic, giving them ways to automate actions that would otherwise be more challenging with conventional approaches. Because PromptSpy prevents itself from being uninstalled by overlaying invisible elements on the screen, the only way for a victim to remove it is to reboot the device into Safe Mode, where third‑party apps are disabled and can be uninstalled. "PromptSpy shows that Android malware is beginning to evolve in a sinister way," ESET said. "By relying on generative AI to interpret on‑screen elements and decide how to interact with them, the malware can adapt to virtually any device, screen size, or UI layout it encounters." "Instead of hardcoded taps, it simply hands AI a snapshot of the screen and receives precise, step‑by‑step interaction instructions in return, helping it achieve a persistence technique resistant to UI changes."