Unmasking PromptSpy: The AI-Driven Android Malware That Outsmarts Your Phone

It started with a simple swipe - except this time, the malicious app refused to vanish from the screen. In a quiet corner of the Android underworld, a shadowy new threat is rewriting the rules of mobile malware. Meet PromptSpy, a sophisticated AI-powered attacker that leverages Google’s own Gemini generative AI to outmaneuver traditional defenses and hold Android devices hostage, all while remaining eerily adaptable across brands and software versions.

Uncovered by ESET researchers, PromptSpy signals a dangerous evolution in the cyber threat landscape: malware that no longer depends on brittle, hardcoded instructions. Instead, it captures the current screen’s XML structure - listing every button, label, and layout - then sends it to Gemini along with a cleverly crafted natural-language prompt. Gemini acts as a behind-the-scenes “Android automation assistant,” responding with JSON instructions for taps, swipes, or long-presses tailored to the actual device and app in use.

This AI-driven adaptability means PromptSpy can persistently lock itself into the recent apps list, making it nearly impossible to close or kill using normal gestures. The attackers have built a feedback loop, with the malware repeatedly analyzing the interface and executing Gemini’s instructions until visual confirmation - like a padlock icon - signals success. Traditional mobile malware often fails when confronted with varying Android versions or custom interfaces from different manufacturers. PromptSpy’s use of generative AI blows past those roadblocks, enabling attacks at scale with minimal custom scripting.

But PromptSpy is more than just a clever persistence trick. At its core lies a VNC module, granting remote operators full visibility and control over infected devices. The malware leverages Android’s Accessibility Services to read on-screen content, overlay invisible blockers on uninstall or force-stop buttons, steal lockscreen credentials, record activities, and quietly report sensitive details back to a command-and-control server. Communications are encrypted, and the malware even requests Gemini API keys on demand to sustain its AI-powered attacks.

Distribution has so far relied on phishing apps disguised as banking utilities - particularly “MorganArg” targeting Argentine victims - delivered via now-defunct domains like mgardownload[.]com. Yet debugging artifacts in simplified Chinese and code for Chinese-language Accessibility events hint at a much broader development effort. While ESET has not observed large-scale infections, the infrastructure and sophistication suggest PromptSpy may soon move beyond proof-of-concept status.

PromptSpy is more than a one-off curiosity; it’s a warning shot for the future of mobile threats. As generative AI becomes a tool for both defenders and attackers, users must remain vigilant - especially against sideloaded apps and suspicious Accessibility prompts. The next swipe you make could be on a battlefield where cybercriminals and artificial intelligence are already at war.

WIKICROOK

• Generative AI: Generative AI is artificial intelligence that creates new content - like text, images, or audio - often mimicking human creativity and style.
• VNC (Virtual Network Computing): VNC (Virtual Network Computing) lets users remotely view and control another computer’s screen in real time over a network or the internet.
• Accessibility Services: Accessibility Services are Android features that help users with disabilities, but can be misused by malware to control devices or steal data.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Persistence Mechanism: A persistence mechanism is a method used by malware to stay active on a system, surviving reboots and removal attempts by users or security tools.