- PromptSpy malware uses Gemini to automate its persistence
- The malware blocks removal through an AI-driven interface check
- Gemini interprets screen data and returns actionable gestures
Security experts have revealed new findings on PromptSpy, an Android malware whose code contains a predefined prompt and AI configuration that is hard-coded and cannot be changed at runtime.
The malware uses Google’s Gemini to interpret elements on the screen and provide step-by-step instructions for interacting with the user interface.
By sending XML snapshots of the device’s screen to Gemini, PromptSpy receives precise gestures, taps, and swipes needed to keep its app pinned to the recent apps list.
Persistence through AI-driven interface interaction
New information from researchers at ESET describes how this is the first known instance of Android malware that uses generative AI in its execution flow.
PromptSpy’s infection chain begins with a dropper program that mimics a legitimate update in Spanish and prompts users to install the app.
Once installed, the payload requests Accessibility Service permissions, which allow the malware to capture detailed UI information and perform automated interactions.
Using this data, PromptSpy continuously communicates with Gemini, sending XML snapshots of the screen and receiving step-by-step instructions to lock itself into the recent apps list.
Transparent overlays on uninstall or stop buttons prevent normal removal and require users to enter safe mode to uninstall the app.
The malware also includes a VNC module that allows operators to remotely monitor devices and interact with the interface, allowing it to intercept lock screen credentials, record user movements, take screenshots, and record video of device activity.
Communication with the command-and-control server is encrypted using AES, which allows malware to securely receive Gemini API keys.
Part of the code uses generative AI to interpret UI scenarios and provide step-by-step instructions to maintain persistence.
The localization details of this malware indicate that PromptSpy was developed in a Chinese-speaking environment – however, its distribution appears to have targeted Spanish-speaking users living in South America, specifically Argentina.
The malware is not available on Google Play, but Google Play Protect provides protection against known versions.
PromptSpy requests Accessibility Service permissions, captures device UI context, and performs actions in the background without user input.
It locks itself into the recent apps list using AI instructions from Gemini and overlays transparent elements on uninstall buttons to block malware removal.
The malware’s network communications can interact with firewalls when it connects to its hardcoded command-and-control server.
The dropper application uses a fake update screen in Spanish to ask for the installation of the payload.
Once launched, PromptSpy communicates with its hardcoded command-and-control server to receive instructions, including Gemini API keys.
The malware captures XML snapshots of the device’s screen and sends them to Gemini, which returns JSON-formatted instructions that the malware executes to ensure persistence.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
