PromptSpy Android Malware

Cybersecurity researchers have identified what is believed to be the first Android malware to weaponize Gemini, Google's generative artificial intelligence chatbot, as part of its operational workflow. The newly uncovered threat, dubbed PromptSpy, integrates AI-driven decision-making into its execution chain and persistence strategy.

PromptSpy is engineered with extensive surveillance and control capabilities. Its functionality includes harvesting lockscreen credentials, blocking uninstallation attempts, collecting detailed device information, capturing screenshots, and recording on-screen activity as video. The malware's primary objective is to deploy an embedded Virtual Network Computing (VNC) module, granting attackers remote access to compromised devices.

AI as an Automation Engine: How Gemini Enables Persistence

Unlike traditional Android malware that relies on predefined user interface (UI) navigation paths, PromptSpy leverages generative AI to dynamically interpret and interact with device screens. By embedding a hard-coded AI model and prompt, the malware assigns the AI agent the role of an 'Android automation assistant.'

The infection process involves transmitting a natural language prompt to Gemini alongside an XML dump of the current screen. This XML file contains granular data on each UI component, including text labels, element types, and exact on-screen coordinates. Gemini processes the input and returns structured JSON instructions directing the malware on what actions to perform, such as tapping specific UI elements, and where to execute them.

This multi-step AI-guided interaction continues until the malicious application is successfully pinned in the recent apps list. By remaining locked in this state, the app resists being swiped away or terminated by the operating system, thereby achieving persistence. The use of AI eliminates reliance on hardcoded tap sequences, allowing the malware to adapt seamlessly to different devices, layouts, and Android versions, significantly expanding its potential victim base.

Accessibility Abuse and Remote Control Infrastructure

PromptSpy exploits Android's accessibility services to execute AI-generated instructions without user interaction. Through these services, it can manipulate the device interface programmatically while remaining concealed.

Its operational capabilities include:

• Intercepting lockscreen PINs, passwords, and pattern unlock inputs
• Capturing screenshots and recording screen activity on demand
• Blocking removal attempts by overlaying invisible UI elements
• Establishing remote access via an embedded VNC module

The malware communicates with a hard-coded Command-and-Control (C2) server at '54.67.2.84' using the VNC protocol. It also retrieves the Gemini API key from this server, enabling continued AI-driven operations. Invisible overlays are used to obstruct user attempts to uninstall the app, effectively trapping victims unless specific remediation steps are taken.

Infection Chain and Social Engineering Tactics

PromptSpy is not distributed via official app marketplaces such as Google Play. Instead, it is delivered through a dedicated malicious website, 'mgardownload(dot)com,' which provides a dropper application. Once installed and executed, the dropper redirects victims to another site, 'm-mgarg(dot)com.'

The operation masquerades as JPMorgan Chase under the name 'MorganArg,' referencing Morgan Argentina. Victims are socially engineered into granting permission to install applications from unknown sources. Afterward, the dropper contacts its server to retrieve a configuration file containing a link to download an additional APK file, presented in Spanish as a legitimate update. During subsequent analysis, the configuration server was found to be offline, leaving the exact payload URL undetermined.

PromptSpy is considered an advanced evolution of a previously undocumented Android threat known as VNCSpy.

Attribution Clues and Targeting Patterns

Analysis of language artifacts and distribution mechanisms suggests that the campaign is financially motivated and primarily targets users in Argentina. However, technical indicators reveal that the malware was likely developed in a Chinese-speaking environment, as evidenced by debug strings written in simplified Chinese embedded within the codebase.

Removal Challenges and Defensive Implications

Due to the malware's use of invisible overlays and accessibility abuse, conventional uninstallation methods are ineffective. The only reliable remediation approach involves rebooting the device into Safe Mode, where third-party applications are disabled, allowing PromptSpy to be removed.

The emergence of PromptSpy underscores a significant evolution in Android malware design. By leveraging generative AI to interpret on-screen elements and determine interaction strategies dynamically, threat actors gain a level of adaptability previously unattainable with static automation scripts. Instead of relying on rigid, hardcoded interaction paths, the malware simply provides the AI with a screen snapshot and receives precise, step-by-step instructions in return.

This development signals a shift toward more autonomous, resilient, and device-agnostic mobile threats, marking a concerning milestone in the convergence of artificial intelligence and cybercrime.