- PromptSpy malware uses Gemini to automate its persistence
- Malware blocks deletion via AI-guided interface control
- Gemini interprets screen data and returns actionable gestures
Security experts have revealed new findings about PromptSpy, an Android malware whose code contains a predefined prompt and hard-coded AI configuration and cannot be changed at runtime.
The malware uses Google’s Gemini to interpret on-screen elements and provide step-by-step instructions for interacting with the user interface.
By sending XML snapshots of the device screen to Gemini, PromptSpy receives the precise gestures, taps and swipes needed to keep its app pinned in the recent apps list.
Persistence through AI-guided interface interaction
New information from ESET researchers shows that this is the first known instance of Android malware using generative AI in its execution flow.
PromptSpy’s infection chain begins with a dropper app that imitates a legitimate Spanish-language update and encourages users to install the app.
Once installed, the payload requests Accessibility Service permissions, which allow the malware to capture detailed user interface information and perform automated interactions.
Using this data, PromptSpy constantly communicates with Gemini, sending XML snapshots of the screen and receiving step-by-step instructions for locking into the recent apps list.
Transparent overlays on uninstall or stop buttons prevent normal removal and force users to enter safe mode to uninstall the app.
The malware also contains a VNC module that allows operators to remotely monitor devices and interact with the interface, in order to intercept lock screen credentials, record user gestures, take screenshots, and capture video of device activity.
Communication with the command and control server is encrypted using AES, allowing the malware to securely receive Gemini API keys.
Some of the code uses generative AI to interpret user interface scenarios and provide step-by-step instructions for maintaining persistence.
The location details of this malware indicate that PromptSpy was developed in a Chinese language environment. However, its distribution appears to have targeted Spanish-speaking users living in South America, particularly Argentina.
The malware is not available on Google Play, but Google Play Protect offers protection against known versions.
PromptSpy requests Accessibility Service permissions, captures device UI context, and performs actions in the background without user intervention.
It locks into the recent apps list using instructions from Gemini’s AI and overlays transparent elements on uninstall buttons to block malware removal.
The malware’s network communication can interact with firewalls when connecting to its hardcoded command and control server.
The dropper app uses a fake update screen in Spanish to request the installation of the payload.
Once launched, PromptSpy communicates with its hardcoded command and control server to receive instructions, including Gemini API keys.
The malware captures XML snapshots of the device screen and sends them to Gemini, which returns instructions in JSON format that the malware executes to ensure persistence.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
