ESET researchers have uncovered PromptSpy, the first known Android malware to integrate Google Gemini generative AI directly into its operational core, enabling real‑time adaptation to device interfaces and sophisticated persistence mechanisms. The Trojan captures lock screen credentials, blocks uninstallation attempts, gathers device intelligence, screenshots on demand, records screen activity as video, and establishes VNC remote access for attacker control. Distributed via dedicated websites masquerading as legitimate financial services, PromptSpy represents a significant evolution in mobile malware sophistication.
Gemini‑Powered Screen Analysis and Automation
PromptSpy embeds Gemini API calls and persona prompts defining the model as an “Android automation assistant.” The malware captures current screen as XML dumps detailing every UI element’s text, type, and coordinates, transmitting them alongside natural language requests. Gemini processes inputs and returns structured JSON instructions specifying actions (taps/swipes) and precise locations, executed through Android accessibility services simulating user interactions without manual input.
This multi‑step dialogue continues until the app locks into recent apps list, resisting system swipes or kills via invisible overlays. ESET malware researcher Lukáš Štefanko highlighted how GenAI replaces rigid hardcoded coordinates with dynamic visual interpretation, adapting seamlessly across devices, screen sizes, OS versions, and layouts—capabilities unattainable through traditional scripting.
Distribution Chain and Attribution Indicators
PromptSpy circulates exclusively through phishing sites like mgardownoad[.]com delivering droppers. Victims granting unknown sources installation permission encounter m-mgarg[.]com impersonating JPMorgan Chase (“MorganArg,” referencing Morgan Argentina). Background C2 fetches configuration including secondary APK disguised as updates. Language localisation and Argentina targeting suggest financial motivation; simplified Chinese debug strings indicate Chinese‑speaking developers. Predecessor VNCSpy samples appeared on VirusTotal from Hong Kong last month.
Post‑persistence, hardcoded C2 at 54.67.2[.]84 manages VNC sessions, API key delivery, screenshot/lockscreen PIN interception, pattern unlock video capture.
Implications for Android Security Landscape
PromptSpy exemplifies threat actors co‑opting legitimate GenAI for operational automation, automating UI navigation historically requiring extensive device‑specific reverse engineering. Accessibility service abuse combined with AI‑driven decisioning creates resilient persistence challenging conventional behavioural detection. Victim remediation demands Safe Mode reboot disabling third‑party apps for uninstallation.
The discovery signals accelerating malware innovation leveraging commercial AI APIs, potentially proliferating across platforms as models commoditise and instruction‑following capabilities mature.
