Users are increasingly at risk: the first Android malware that uses generative AI arrives

Security researchers at ESET have identified a new and concerning threat to Android devices, named PromptSpy.

The first known malware capable of exploiting generative AI to contextually manipulate the user interface.

Although machine learning has already been used in the past to automate advertising fraud, the integration of an advanced language model to dynamically navigate menus represents a worrying technical leap.

Android Malware PromptSpy, AI-guided adaptability

The PromptSpy code does not rely on AI for all of its functions, but it uses it in a critical phase for its survival: to ensure the app remains anchored in the device’s memory.

traditional malware often relies on fixed coordinates or rigid scripts to navigate the interface, methods that easily fail due to the countless graphical customizations of various smartphone manufacturers or system updates.

PromptSpy bypasses this obstacle by sending to the AI model (in this particular case, the Gemini API) a textual scan of the current screen in the form of an XML file.

The model analyzes the visible elements and returns precise instructions on where and how to touch the screen to perform the gesture required to block the malicious application in the recent apps list.

This process repeats in a continuous cycle until the system receives confirmation that the block has been completed, making it almost impossible for the user to close the app accidentally or intentionally with a simple swipe.

Total control and data theft

The use of artificial intelligence acts as a shield to keep the true engine of the attack alive. The primary purpose of PromptSpy is, in fact, the installation of a VNC module that guarantees cybercriminals full remote control of the smartphone.

Fraudulently exploiting Android’s accessibility services, the software manages to silently record the screen, capture unlocking PINs, and collect sensitive information.

To prevent uninstallation, the threat employs a particularly insidious technique: it overlays invisible rectangles on system buttons such as “Stop”, “Delete” or “Uninstall”. The user, unaware, taps the screen trying to remove the program without receiving any response from the operating system, effectively hindering their defense attempts.

Between Argentina and Asia

Investigations conducted on samples of this malware code have revealed interesting details about its origin and targets. The campaign seems to have purely financial motivations and mainly targets users in Argentina.

The initial infection vector hides behind a fake bank website that imitates the appearance of a well-known international financial institution (Chase Bank), pushing victims to download a counterfeit application named MorganArg via a fake update.

Although the target is South America, the source code analysis uncovered programming and debugging strings written in Simplified Chinese, a detail suggesting development took place in an Asian environment.

Fortunately, this threat has never been distributed through Google’s official channel of Google Play and Android users are automatically protected by built-in security features such as Google Play Protect.

How to remove the threat

Due to its advanced defenses and invisible blocks applied to the interface, removing PromptSpy under normal conditions is almost impossible. The only effective way to clean the infected device is to reboot the smartphone in Safe Mode.

This procedure temporarily disables all third-party applications. Once the system is isolated, the victim can safely go to the general settings and remove the malicious software without interference from the accessibility services now disabled.