Researchers at Slovak security firm ESET say they have discovered the first Android malware that uses generative AI to improve its effectiveness after installation, but it may just be a prototype.
Researchers at Slovak security firm ESET say they have discovered the first Android malware that uses generative AI to improve its effectiveness after installation, but it may just be a prototype.
ESET has named this threat PromptSpy. The main goal of this malware is to deploy a VNC module that allows hackers to remotely control an infected device, The Register reports .
PromptSpy has the ability to provide Google Gemini chatbot with instructions to interpret device interface elements using natural language queries.
These prompts allow the malware to analyze the user interface, based on which it determines which gestures need to be performed on the device to keep the malicious application pinned to the list of recently opened applications.
“The AI model and prompts are pre-coded and cannot be changed,” wrote Lukasz Stefanko, a malware researcher at ESET. “Since Android malware often relies on interface navigation, the use of generative AI allows attackers to adapt to virtually any device, screen layout, or OS version, which can significantly expand the range of potential victims.”
Android viruses typically use taps, coordinates, and interface selectors to perform tasks. However, these mechanisms often break down across devices, making Gemini a tricky way to circumvent this common problem.
PromptSpy sends Gemini a natural language query along with an XML dump of the device’s current screen, and the chatbot returns JSON instructions on what action to take and where to take it to pin the app to the list of recent users. This process repeats until Gemini tells PromptSpy that the app is in place.
ESET detected versions of PromptSpy uploaded to VirusTotal in January, with strains using Gemini being sent from Argentina.
Analysis of the program's code suggests that it was developed by Chinese-speaking specialists to assist cybercriminals pursuing financial gain.
Stefanko noted that PromptSpy has not yet been recorded in ESET telemetry, indicating that it remains a prototype. However, the team did find a domain that was likely used for distribution, which could indicate preparations for real attacks.
The domains that ESET investigated are currently offline, but saved copies showed that they were likely trying to impersonate the Chase bank website.
PromptSpy is also missing from the Google Play store.
Once installed, the app can intercept lock screen PINs or passwords, record the pattern unlock process as a video, capture screen content and user gestures, and take screenshots in addition to interacting with Gemini.
Additionally, it prevents the program from being deleted or forced to stop by placing transparent blocks over interface elements.
These blocks are invisible to the user: he clicks on the place where the button is located, but nothing happens. The only way to remove the virus is to reboot the device in safe mode, where third-party applications are blocked, and then perform the standard removal procedure.
As The Register found out, the developers themselves uploaded the PromptSpy code to VirusTotal — just to check whether it could bypass modern protection mechanisms.
A team of engineers from New York University developed the code as part of a research project, hoping to get a chance to speak at cybersecurity conferences. The binary was on VirusTotal for some time before being discovered by ESET.
Puzzled by how the news spread after an ESET blog post describing PromptSpy, students at New York University contacted the Slovak company to explain: this malware was just a prototype.
Md. Raz, one of the students and PhD candidates behind the malware, "just couldn't believe it" when he realized his work was being reported in the news.
After receiving a message from Raz and his colleagues, ESET updated its X-network post to state that their discovery was only a research project that would not work outside of a lab.
“This confirms our assumption that we were dealing with a prototype, and not with full-fledged malware deployed in a real environment,” the company said. “However, our conclusions remain valid: the detected samples represent the first known use of AI in ransomware.”
