PromptSpy Android Malware Uses Generative AI

Verticals Targeted: Financial
Regions Targeted: Argentina
Related Families: VNCSpy

Executive Summary

PromptSpy is the first documented Android malware family to integrate generative AI, specifically Google's Gemini, into its execution flow for dynamic, context-aware persistence. Primarily functioning as a remote access trojan with a built-in VNC module, this malware demonstrates how large language models can enhance adaptability in mobile threats, particularly for UI manipulation resistant to device variations.

Key Takeaways

• PromptSpy employs Google's Gemini to analyze screen XML dumps and generate step-by-step JSON instructions for gestures that lock the app in the recent apps list, overcoming challenges posed by diverse Android UI layouts and manufacturer customizations.
• The malware's core capability involves deploying a VNC service for full remote device control, including screen viewing, input simulation, lockscreen credential capture, video recording, and screenshot acquisition.
• Distributed via a dedicated website impersonating a Chase Bank portal and never listed on Google Play, PromptSpy appears linked to a financially motivated campaign focused on users in Argentina.
• Development artifacts, including simplified Chinese debug strings and localized Accessibility event handling, are possibly indicative of origins in a Chinese-speaking environment.

What is PromptSpy?

ESET recently disclosed details on PromptSpy, marking the inaugural instance of Android malware incorporating generative AI to facilitate context-sensitive user interface interactions during execution. Although generative AI constitutes a limited segment of the codebase, dedicated specifically to persistence, the approach significantly bolsters the malware's resilience across heterogeneous Android ecosystems.

In conventional Android malware, persistence mechanisms frequently depend on fixed coordinates, hardcoded UI selectors, or predefined gestures, rendering them susceptible to failure when confronted with varying device models, screen dimensions, OS iterations, or custom manufacturer overlays. PromptSpy circumvents these limitations by leveraging Google's Gemini model. The malware captures a comprehensive XML representation of the active screen via Accessibility Services, transmitting it alongside a hardcoded natural-language prompt to Gemini. The model processes this input and returns structured JSON directives specifying actions such as taps, long clicks, or swipes, including precise coordinates derived from element bounds.

A feedback loop ensues: PromptSpy executes the instructed gestures, captures the updated screen state, and re-submits it to Gemini until the model signals successful completion, evidenced by visual indicators like a padlock icon in the recent apps overview. This mechanism enables automated execution of the "lock in recent apps" gesture, preventing users or system processes from easily terminating the malicious app.

The primary objective of PromptSpy centers on establishing remote access through an embedded VNC module. Once Accessibility Services authorization is obtained, operators connect to a hardcoded C2 via the VNC protocol, with communications protected by AES encryption utilizing a static key. This channel supports capabilities including real-time screen viewing and control, transmission of device-installed applications, interception of lockscreen PINs or patterns, foreground app monitoring, on-demand screenshots, and gesture recording within targeted applications.

Additional defensive features misuse Accessibility Services to hinder removal. Transparent overlays intercept interactions with termination-related buttons, those containing terms such as "stop," "end," "clear," or "Uninstall”, rendering them unresponsive. Successful remediation typically requires booting the device into Safe Mode to bypass the malware's interference.

Distribution occurs through a dropper application sourced from mgardownload[.]com, which presents a fake Chase Bank-branded interface under the name MorganArg. The dropper prompts installation of the embedded PromptSpy payload, disguised as an update. Companion samples, including Android/Phishing.Agent.M, share signing certificates and spoof the same fraudulent banking site in Spanish, suggesting a unified campaign infrastructure.

Although PromptSpy samples have not surfaced in ESET's telemetry, implying possible proof-of-concept status, the presence of a distribution domain and regional phishing elements point toward targeted deployment in Argentina. Language localization within the fake site reinforces this geographic focus. Debug remnants in simplified Chinese, encompassing event type parsing tailored for Chinese readability, provide medium-confidence attribution to a Chinese-speaking development environment.

This discovery underscores the emerging risk of generative AI integration into mobile malware, enabling unprecedented dynamism in automation tasks traditionally constrained by rigid scripting. As large language models become more accessible, similar techniques may proliferate, complicating detection and necessitating advanced behavioral monitoring on Android platforms.

IOCs

PolySwarm has multiple samples of PromptSpy.

11f5c91d24c9d1eee16dacacfb9160e299544c1a854af92f79daf88364cea0b6

b420b96e0d76702f51ba0e3364da881aaf766e00538059e58fec6b7676a68e6c

299ae5afdf4338e1e5d68656c67719346277deae20d9d013079244302040db7e

468eed1131e4b562ae32ff2734d9feb37c9b8e2097df05431867279614c8502a

d076268a34eb62ba17aaf3cfb244998bd3a1a9a4c1ca98d21944d94da30f42a8

6a3f0bf6739ee69012b4c2b61e43a2ce7c7d9ee145b4efe0395961e08e3beac7

067d5dbbd24f988f0c945a08556dec3a1c789398ae46842038ea96a9b2384427

db7a1c352c7d1ac75e0ba31b71cf4b0e3304a22b8d0d636fa80b5d5095be1e00

4ee3b09dd9a787ebbb02a637f8af192a7e91d4b7af1515d8e5c21e1233f0f1c7

Click here to view all samples of PromptSpy in our PolySwarm portal.

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.