Security researchers at ESET have unveiled a novel threat in the form of an Android malware, PromptSpy, which uniquely employs generative AI to maintain its presence on devices. This marks the first instance of such technology being utilized in malware for Android systems, adding a sophisticated layer to its operational capabilities.
Malware Capabilities and Device Control
PromptSpy integrates a VNC module into compromised Android devices, enabling attackers to remotely access and manipulate the device’s interface. The malware’s capabilities extend to gathering comprehensive device information, capturing lockscreen credentials, and recording screen activities to deduce unlock patterns. This comprehensive data collection allows the malware to exert extensive control over infected devices.
AI-Powered Persistence Mechanism
In a breakthrough approach, PromptSpy employs Google’s Gemini AI chatbot to sustain its presence on devices. During runtime, the malware sends prompts to Gemini, accompanied by XML files that describe the screen’s UI elements. Gemini processes this data and provides JSON-based instructions on how to interact with the device, effectively adding the malware to the recent apps list. By exploiting Android’s Accessibility Services, PromptSpy executes these interactions seamlessly, ensuring its persistence across reboots.
Obstruction of Malware Removal
PromptSpy further complicates its removal by using Accessibility Services to obscure uninstall attempts. It overlays transparent blocks over critical screen elements, making actions like ‘stop’, ‘end’, or ‘uninstall’ ineffective. This tactic necessitates users to reboot their devices in Safe Mode to successfully remove the malware, bypassing third-party app functionalities.
Although ESET has not observed widespread infections, the presence of a domain targeting users in Argentina suggests potential distribution. Researchers attribute the malware to developers in China, albeit with moderate confidence, and have not linked it to any known threat actors.
PromptSpy’s emergence, although not yet widespread, underscores the evolving landscape of mobile threats, emphasizing the need for robust security measures. Continued vigilance and updates are critical as developers and security experts work to counteract such sophisticated threats.
