Researchers at ESET have analyzed what they describe as the first Android malware to leverage generative AI during its execution.
Named PromptSpy, the malware deploys a VNC module on compromised systems, enabling its operators to view the victim’s screen and take full control of the Android device.
In addition, PromptSpy can collect device information, capture the lockscreen PIN or password, record the screen to obtain the device’s unlock pattern, and take screenshots.
For persistence, the Android malware uses a novel approach at runtime that involves sending a prompt to Google’s Gemini gen-AI chatbot along with an XML file containing data about the various UI elements displayed on the screen, including their type, text, and position.
Gemini uses this information to tell PromptSpy — via JSON instructions — where to tap or swipe on the screen in order to add the malware to the list of recent apps. The malware can interact with the device and perform the gestures recommended by the AI chatbot by abusing Android’s Accessibility Services.
“The malware saves both its previous prompts and Gemini’s responses, allowing Gemini to understand context and to coordinate multistep interactions,” ESET researchers explained.
By locking itself in the recent apps list, the malware ensures persistence across device reboots.
PromptSpy also abuses Accessibility Services to prevent removal. ESET researchers explained, “When the user attempts to uninstall the payload or disable Accessibility Services, the malware overlays transparent rectangles on specific screen areas – particularly over buttons containing substrings like stop, end, clear, and Uninstall. These overlays are invisible to the user but intercept interactions, making removal difficult.”
“Because PromptSpy blocks uninstallation by overlaying invisible elements on the screen, the only way for a victim to remove it is to reboot the device into Safe Mode, where third‑party apps are disabled and can be uninstalled normally,” the researchers added.
ESET noted that it has not seen infections in the wild and PromptSpy may be a proof of concept, similar to the PromptLock ransomware detailed by the company last year.
However, the security firm has seen a domain that appears to be designed to deliver the malware to users in Argentina.
Evidence indicates that PromptSpy has been created by Chinese developers. ESET made this attribution with medium confidence and the company has not linked the Android malware to any threat actor.
Related: New Keenadu Android Malware Found on Thousands of Devices
Related: Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App Security
Related: New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices
