Android Malware 'PromptSpy' Uses Generative AI for Attacks

- PromptSpy's primary function is to deploy a Virtual Network Computing (VNC) module, granting attackers remote access to view the device's screen and perform actions. Beyond its use of AI, the malware can capture lockscreen data, record screen activity, take screenshots, and use invisible overlays to prevent uninstallation. - The malware utilizes Google's Gemini model specifically to achieve persistence on an infected device. It sends a prompt to Gemini along with an XML file of the screen's UI elements, and Gemini returns JSON instructions on how to perform the specific gesture needed to "pin" the app in the recent apps list, preventing it from being easily closed. - This use of generative AI allows the malware to adapt to various Android devices, screen layouts, and OS versions, which would typically break malware reliant on hardcoded UI navigation. The AI model and the prompt it receives are predefined within the malware's code and cannot be altered remotely. - ESET researchers have not yet observed PromptSpy in their telemetry, suggesting it might be a proof-of-concept. However, evidence such as a potential distribution domain impersonating Chase Bank suggests it may have been deployed in targeted attacks. - Based on language clues in the code and distribution vectors, the campaign is believed to be financially motivated and primarily targeting users in Argentina. ESET assesses with medium confidence that the malware was created by Chinese-speaking developers. - PromptSpy is the second AI-powered malware discovered by ESET, following the AI-driven ransomware "PromptLock" found in August 2025. While other malware has used machine learning, PromptSpy is the first known instance of generative AI being used for live UI manipulation in an Android threat. - To remove PromptSpy, a user must reboot their device into Safe Mode. This disables third-party apps, allowing the user to uninstall the malicious application without interference from the malware's uninstallation-blocking overlays. - The malware communicates with a hardcoded command-and-control server at the IP address 54.67.2[.]84 using the VNC protocol with AES encryption. Through this channel, attackers can receive a Gemini API key, upload the list of installed apps, and intercept lockscreen credentials.