Cybersecurity researchers have unveiled a groundbreaking discovery in the realm of Android malware, identifying what they describe as the first instance of malicious software that exploits Gemini, Google’s generative artificial intelligence chatbot, to enhance its operational capabilities and ensure its persistence on infected devices. This malware, dubbed PromptSpy by ESET, is equipped with a suite of functionalities that allow it to capture lockscreen data, obstruct uninstallation attempts, gather device information, take screenshots, and even record screen activity in video format.
Innovative Use of Generative AI
According to ESET researcher Lukáš Štefanko, the integration of Gemini into the malware’s execution flow marks a significant evolution in the tactics employed by cybercriminals. “Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system,” Štefanko noted in a report released today. This innovative approach allows the malware to adapt to various devices, layouts, and operating system versions, thereby broadening its potential victim pool.
The mechanism behind this sophisticated malware involves hard-coding the AI model and a prompt within the software, effectively assigning the AI the role of an “Android automation assistant.” It sends Gemini a natural language prompt along with an XML dump of the current screen, which details every UI element, including text, type, and precise positioning on the display. Gemini processes this information and returns JSON instructions that dictate the malware’s actions, such as where to tap on the screen. This multi-step interaction continues until the app is successfully entrenched in the recent apps list, rendering it difficult to terminate.
Remote Access and Evasion Techniques
The primary objective of PromptSpy is to deploy an integrated VNC module, granting attackers remote access to the victim’s device. Additionally, the malware leverages Android’s accessibility services to prevent uninstallation through the use of invisible overlays. Communication with a hard-coded command-and-control (C2) server, identified as “54.67.2[.]84,” occurs via the VNC protocol, facilitating a range of malicious activities.
Notably, the actions recommended by Gemini are executed through accessibility services, allowing the malware to manipulate the device without requiring user input. This communication with the C2 server enables the malware to obtain the Gemini API key, capture screenshots on demand, intercept lockscreen PINs or passwords, record screen activity, and document the pattern unlock screen as video.
Targeted Campaigns and Distribution Methods
Analysis of language localization and distribution methods indicates that this campaign is likely financially motivated, with a specific focus on users in Argentina. Intriguingly, evidence suggests that PromptSpy was developed within a Chinese-speaking environment, as indicated by debug strings written in simplified Chinese. “PromptSpy is distributed by a dedicated website and has never been available on Google Play,” Štefanko explained.
PromptSpy is considered an advanced iteration of a previously unidentified Android malware known as VNCSpy, with samples first appearing on the VirusTotal platform last month from Hong Kong. The distribution occurs through a website named “mgardownload[.]com,” which delivers a dropper that, once installed and launched, redirects users to a webpage hosted on “m-mgarg[.]com.” This page masquerades as JPMorgan Chase, using the name “MorganArg” to reference Morgan Argentina. The dropper instructs victims to grant permissions for installing apps from unknown sources to facilitate the deployment of PromptSpy.
During the research, it was noted that the configuration server was no longer accessible, leaving the exact download URL unknown. ESET remarked, “In the background, the Trojan contacts its server to request a configuration file, which includes a link to download another APK, presented to the victim, in Spanish, as an update.”
The Evolution of Malware
The emergence of PromptSpy exemplifies how threat actors are increasingly incorporating AI tools into their operations, making malware more dynamic and capable of automating actions that would typically pose challenges with traditional methods. By employing invisible overlays on the screen, PromptSpy effectively prevents uninstallation, compelling victims to reboot their devices into Safe Mode, where third-party applications can be disabled and removed.
“PromptSpy illustrates a concerning evolution in Android malware,” ESET stated. “By utilizing generative AI to interpret on-screen elements and determine interaction methods, the malware can adapt to virtually any device, screen size, or UI layout it encounters. Instead of relying on hardcoded taps, it simply provides AI with a snapshot of the screen and receives detailed, step-by-step interaction instructions in return, enhancing its persistence against UI changes.”
