PromptSpy malware uses Gemini to automate its persistence

The malware blocks removal through an AI-guided interface control

Gemini interprets screen data and returns actionable gestures

Security experts have revealed new findings on PromptSpy, an Android malware whose code contains a predefined prompt and AI configuration that are hardcoded and cannot be changed at runtime.

The malware uses Google’s Gemini to interpret on-screen elements and provide step-by-step instructions for interacting with the user interface.

By sending XML snapshots of the device screen to Gemini, PromptSpy receives precise gestures, taps, and swipes needed to keep its app pinned in the recent apps list.

Persistence through AI-guided interface interaction

New information from researchers at ESET outlines how this is the first known instance of Android malware using generative AI in its execution flow.

PromptSpy’s infection chain begins with a dropper application that mimics a legitimate update in Spanish and encourages users to install the app.

Once installed, the payload requests Accessibility Service permissions, which enable the malware to capture detailed UI information and perform automated interactions.

Using this data, PromptSpy continuously communicates with Gemini, sending XML snapshots of the screen and receiving step-by-step instructions to lock itself in the recent apps list.

Transparent overlays on uninstall or stop buttons prevent normal removal and require users to enter Safe Mode to uninstall the app.

The malware also contains a VNC module that allows operators to remotely monitor devices and interact with the interface, so it can intercept lock screen credentials, record user gestures, take screenshots, and capture video of the device’s activity.

Communication with the command-and-control server is encrypted using AES, which allows the malware to securely receive Gemini API keys.

A portion of the code uses generative AI to interpret UI scenarios and provide step-by-step instructions to maintain persistence.

The localization details of this malware indicate that PromptSpy was developed in a Chinese-speaking environment - however its distribution appears to have targeted Spanish-speaking users who live in South America, specifically Argentina.

The malware is not available on Google Play, but Google Play Protect provides protection against known versions.

PromptSpy requests Accessibility Service permissions, captures device UI context, and performs actions in the background without user input.

It locks itself in the recent apps list using AI instructions from Gemini and overlays transparent elements on uninstall buttons to block the malware removal.

The malware’s network communication can interact with firewalls when connecting to its hardcoded command-and-control server.

The dropper application uses a fake update screen in Spanish to prompt installation of the payload.

Once launched, PromptSpy communicates with its hardcoded command-and-control server to receive instructions, including Gemini API keys.

The malware captures XML snapshots of the device screen and sends them to Gemini, which returns JSON-formatted instructions that the malware executes to ensure persistence.

