Android malware taps Gemini to navigate infected devices

First Android malware uses generative AI

Cybersecurity firm ESET has discovered the first known Android malware that uses generative AI to improve its performance after infection. The malware, named PromptSpy, is designed to deploy a VNC module that gives hackers remote control of infected devices.

Its key innovation is using Google's Gemini chatbot to interpret a device's user interface. This allows the malware to adapt its actions to keep the malicious app pinned in the recent apps list on virtually any Android device.

How the AI-powered attack works

PromptSpy works by submitting a natural language prompt and an XML dump of the device's current screen to Gemini. The AI chatbot then returns JSON instructions telling the malware what action to perform and where to tap or swipe.

This process repeats until Gemini confirms the malicious app is successfully pinned. "Leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version," said ESET malware researcher Lukas Stefanko.

Traditional Android malware relies on static screen coordinates or UI selectors, which often break on different devices. Using AI to dynamically interpret the screen is a significant evolution in bypassing this problem.

Limited distribution so far

ESET found versions of PromptSpy uploaded to VirusTotal in January, with the Gemini-assisted samples originating from Argentina. Analysis of the code suggests it was developed by Chinese speakers for financially motivated cybercriminals.

However, the malware has not yet appeared in ESET's real-world telemetry data, suggesting it remains a proof of concept. The researchers did find a likely distribution domain, now offline, which was imitating a Chase Bank website.

The malware was not distributed through the Google Play Store. Given Google's recent restrictions on sideloading, it's unclear how attackers planned to install it on devices.

Malware's dangerous capabilities

Once installed, PromptSpy has a wide range of invasive capabilities beyond its AI component. It can:

• Intercept lockscreen PINs or passwords
• Record the pattern unlock screen as a video
• Capture screen recordings and user gestures
• Take screenshots without user knowledge

It also uses a deceptive defense mechanism to prevent removal. The malware places invisible, transparent boxes over critical screen elements like uninstall buttons.

Users trying to tap these buttons press the invisible overlay instead, with no effect. The only way to remove PromptSpy is to reboot the device in safe mode and uninstall it from there.

A new era for Android threats

"PromptSpy shows that Android malware is beginning to evolve in a sinister way," Stefanko said. The use of generative AI makes malware far more dynamic and capable of real-time decision-making against diverse targets.

This discovery follows ESET's earlier finding of PromptLock, which it called the first AI-powered ransomware. That code was later revealed to be a research project by New York University students, uploaded to VirusTotal to test detection.

While PromptSpy appears to be a proof of concept for now, it demonstrates how quickly attackers are adopting AI tools. "It illustrates how quickly attackers are beginning to misuse AI tools to improve impact," Stefanko concluded.