{"id":98,"date":"2026-02-27T14:52:23","date_gmt":"2026-02-27T14:52:23","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=98"},"modified":"2026-02-27T14:52:23","modified_gmt":"2026-02-27T14:52:23","slug":"promptspy-android-malware-abuses-gemini-ai-to-automate-recent-apps-persistence","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=98","title":{"rendered":"PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence"},"content":{"rendered":"
\n
<\/a><\/div>\n

Cybersecurity researchers have discovered what they say is the first Android malware that abuses Gemini, Google’s generative artificial intelligence (AI) chatbot, as part of its execution flow and achieves persistence.<\/p>\n

The malware has been codenamed PromptSpy<\/strong> by ESET. The malware is equipped to capture lockscreen data, block uninstallation efforts, gather device information, take screenshots, and record screen activity as video.<\/p>\n

\u00abGemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system,\u00bb ESET researcher Luk\u00e1\u0161 \u0160tefanko said<\/a> in a report published today.<\/p>\n

\u00abSince Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Specifically, this involves hard-coding the AI model and a prompt in the malware, assigning the AI agent the persona of an \u00abAndroid automation assistant.\u00bb It sends Gemini a natural language prompt along with an XML dump of the current screen that gives detailed information about every UI element, including its text, type, and exact position on the display.<\/p>\n

<\/p>\n

Gemini then processes this information and responds with JSON instructions that tell the malware what action to perform (e.g., a tap) and where to perform it. The multi-step interaction continues until the app is successfully locked in the recent apps list and cannot be terminated.<\/p>\n

The main goal of PromptSpy is to deploy a built-in VNC module that grants the attackers remote access to the victim’s device. The malware is also designed to take advantage of Android’s accessibility services to prevent it from being uninstalled using invisible overlays. It communicates with a hard-coded command-and-control (C2) server (\u00ab54.67.2[.]84\u00bb) via the VNC protocol.<\/p>\n

It’s worth noting that the actions suggested by Gemini are executed through accessibility services, allowing the malware to interact with the device without user input. All of this is accomplished by communicating with the C2 server to receive the Gemini API key, take screenshots on demand, intercept lockscreen PIN or password, record screen, and capture the pattern unlock screen as a video.\u00a0<\/p>\n

\"\"<\/a><\/div>\n

An analysis of the language localization clues and the distribution vectors used suggests that the campaign is likely financially motivated and targets users in Argentina. Interestingly, evidence shows that PromptSpy was developed in a Chinese\u2011speaking environment, as indicated by the presence of debug strings written in simplified Chinese.<\/p>\n

\u00abPromptSpy is distributed by a dedicated website and has never been available on Google Play,\u00bb \u0160tefanko said.<\/p>\n

PromptSpy is assessed to be an advanced version of another previously unknown Android malware called VNCSpy, samples of which were first uploaded to the VirusTotal platform last month from Hong Kong.<\/p>\n

The website, \u00abmgardownload[.]com,\u00bb is used to deliver a dropper, which, when installed and launched, opens a web page hosted on \u00abm-mgarg[.]com.\u00bb It masquerades as JPMorgan Chase, going by the name \u00abMorganArg\u00bb in reference to Morgan Argentina. The dropper also instructs victims to grant it permissions to install apps from unknown sources to deploy PromptSpy.\u00a0<\/p>\n

\u00abIn the background, the Trojan contacts its server to request a configuration file, which includes a link to download another APK, presented to the victim, in Spanish, as an update,\u00bb ESET said. \u00abDuring our research, the configuration server was no longer accessible, so the exact download URL remains unknown.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The findings illustrate how threat actors are incorporating AI tools into their operations and make malware more dynamic, giving them ways to automate actions that would otherwise be more challenging with conventional approaches.<\/p>\n

Because PromptSpy prevents itself from being uninstalled by overlaying invisible elements on the screen, the only way for a victim to remove it is to reboot the device into Safe Mode<\/a>, where third\u2011party apps are disabled and can be uninstalled.<\/p>\n

\u00abPromptSpy shows that Android malware is beginning to evolve in a sinister way,\u00bb ESET said. \u00abBy relying on generative AI to interpret on\u2011screen elements and decide how to interact with them, the malware can adapt to virtually any device, screen size, or UI layout it encounters.\u00bb<\/p>\n

\u00abInstead of hardcoded taps, it simply hands AI a snapshot of the screen and receives precise, step\u2011by\u2011step interaction instructions in return, helping it achieve a persistence technique resistant to UI changes.\u00bb<\/p>\n

When reached for comment, a Google spokesperson told The Hacker News via email that there is currently no evidence that apps containing PromptSpy are being distributed via Google Play.<\/p>\n

\u00abAndroid users are automatically protected against known versions of this malware by Google Play Protect<\/a>, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,\u00bb the spokesperson added.<\/p>\n

(The story was updated after publication to include a response from Google.)<\/em>\u00a0<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Cybersecurity researchers have discovered what they say is the first Android malware that abuses Gemini, Google’s generative artificial intelligence (AI) chatbot, as part of its execution flow and achieves persistence.…<\/p>\n","protected":false},"author":1,"featured_media":99,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[226,281,283,282,42,285,133,284],"class_list":["post-98","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-abuses","tag-android","tag-automate","tag-gemini","tag-malware","tag-persistence","tag-promptspy","tag-recentapps"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/98","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=98"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/98\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/99"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}