ESET researchers analyzed PromptSpy, an Android malware that uses a VNC module and Accessibility Services to capture screens, steal unlock credentials, and enable remote control of compromised devices. The malware uniquely leverages Google’s Gemini generative AI at runtime—sending UI element XML to Gemini and following its JSON instructions for taps and swipes to persist in recent apps and block uninstallation, requiring Safe Mode for removal. #PromptSpy #Gemini
Keypoints
- PromptSpy deploys a VNC module to view and control compromised Android devices.
- It collects device information, captures lockscreen PINs or passwords, records screen unlock patterns, and takes screenshots.
- At runtime PromptSpy sends UI XML to Google Gemini, which returns JSON instructions for taps and swipes to enable persistence.
- The malware abuses Accessibility Services and invisible overlays to intercept uninstall attempts, making removal possible only in Safe Mode.
- ESET has not observed active infections and attributes development to Chinese authors with medium confidence, noting a possible delivery domain targeting Argentina.
Read More: https://www.securityweek.com/promptspy-android-malware-abuses-gemini-ai-at-runtime-for-persistence/