First Android Malware Using Generative AI Discovered

- PromptSpy feeds a natural-language prompt and an XML dump of the current screen to Google's Gemini, which then returns structured JSON instructions for the malware to execute gestures like taps and swipes, overcoming variations in device UIs. - The malware's primary function is to deploy a Virtual Network Computing (VNC) module, giving attackers remote interactive access to the device to capture PINs, record screen activity, and upload installed app lists. - While this is the first documented use of generative AI in Android malware execution, a previous threat, Android.Phantom, used TensorFlow machine learning models to analyze screenshots for ad fraud. - This attack is a practical example of agentic AI risks outlined by security researchers, where an autonomous system uses an external tool (the Gemini API) to execute a multi-step plan, a threat vector OWASP identifies as a top concern. - Based on language localization and distribution vectors, the campaign appears to be financially motivated and has primarily targeted users in Argentina, though its limited detection in telemetry suggests it may still be a proof-of-concept. - The incident highlights an emerging identity management challenge; a recent Okta survey found that only 10% of organizations have a well-developed strategy for managing the non-human and agentic identities that AI systems introduce. - This new threat underscores the importance of AI governance frameworks like the NIST AI Risk Management Framework (AI RMF) and ISO 42001, which provide structured approaches for managing risks associated with dual-use AI capabilities. - To block removal, PromptSpy abuses Accessibility Services to overlay invisible rectangles over buttons containing terms like "uninstall," intercepting user taps and preventing the uninstallation process from completing.