Cybersecurity experts have uncovered a new form of Android malware that exploits Google’s Gemini AI chatbot to establish and maintain its presence on devices. Known as PromptSpy, this malware employs advanced techniques to capture sensitive data and prevent its removal, making it a significant threat.
How PromptSpy Utilizes AI for Persistence
PromptSpy, identified by ESET researchers, leverages Gemini AI to analyze device screens and provide instructions to ensure its continued operation. This method prevents the malware from being easily closed or terminated by the system. By integrating AI into its processes, PromptSpy can adapt to various device configurations and operating systems, broadening its range of potential targets.
The malware hardcodes an AI model and prompts within its code, transforming Gemini into an ‘Android automation assistant.’ It sends a detailed XML dump of the current screen to Gemini, which responds with directions on actions to take, such as where and how to perform specific interactions. This process locks the malware into the recent apps list, making it persistent.
Technical Capabilities and Threats
PromptSpy’s primary function is to deploy a VNC module, allowing attackers remote access to infected devices. It exploits Android’s accessibility services to resist uninstallation and communicates with a command-and-control server using the VNC protocol. The malware can intercept lockscreen credentials, record screen activity, and communicate with a server to receive instructions and API keys.
Researchers observed that the malware’s language localization and distribution suggest a financial motivation, primarily targeting users in Argentina. Indications are that the malware was developed in a Chinese-speaking environment, as seen in debug strings written in simplified Chinese.
Distribution and Evolution of PromptSpy
PromptSpy is distributed through a dedicated website and has not been available on Google Play. It is considered an advanced iteration of a previously unknown malware called VNCSpy, with initial samples traced back to uploads from Hong Kong. The website “mgardownload[.]com” delivers a dropper that, upon installation, impersonates JPMorgan Chase, urging users to enable app installations from unknown sources.
According to ESET, the dropper contacts its server to fetch a configuration file, which includes a link to another APK presented as an update. However, the configuration server was found to be inaccessible during the investigation, leaving the specific download link undisclosed.
Implications and Future Outlook
This development highlights the increasing sophistication of malware, as threat actors incorporate AI to create adaptable and resilient threats. PromptSpy’s ability to avoid uninstallation through invisible overlays poses a unique challenge, with the only solution being rebooting the device into Safe Mode.
As ESET points out, PromptSpy exemplifies the evolving nature of Android malware, utilizing generative AI to navigate and manipulate on-screen elements across diverse devices and layouts. This capability marks a shift toward more dynamic and persistent cybersecurity threats.
