Security experts at the antivirus firm ESET have uncovered the inaugural Android malware that leverages Google Gemini’s neural network directly during a cyberattack. This novel Trojan, dubbed PromptSpy, employs the generative artificial intelligence to navigate the smartphone’s user interface and establish persistence within the device. The malicious software transmits an XML dump of the current screen, complete with exhaustive descriptions of all interface components, to Gemini. In response, the neural network produces step-by-step directives, formatted in JSON, specifying the exact locations needing interaction to achieve its objective. This methodology enables the Trojan to function consistently across diverse Android versions, proprietary manufacturer shells, and varied screen resolutions, circumventing the need for hardcoded coordinates. Once the application is anchored in the recent applications list, making it resistant to removal via swiping, PromptSpy activates its integrated VNC component, thereby gaining comprehensive remote control over the device. “The model subsequently outputs sequential instructions in JSON format detailing the next clicks and actions required,” stated ESET representatives. The malware possesses capabilities to intercept lock screen PINs and passwords, record video footage, capture screenshots, and harvest device information. Command and control are managed via a server with a fixed IP address, from which the Trojan also retrieves the key necessary to interface with Gemini. To conceal its presence, the malware utilizes Android’s accessibility services and invisible overlays, rendering standard uninstallation procedures ineffective; the threat can only be neutralized by booting into Safe Mode. This campaign is financially motivated and is being distributed via a phishing website masquerading as JPMorgan Chase Argentina (under the guise of the “MorganArg” application), completely bypassing the Google Play store. Debugging strings written in simplified Chinese were detected within the code, suggesting its development origin might be linked to that region. Specialists observe that PromptSpy represents an upgraded iteration of a previously identified Trojan, VNCSpy, which was observed just last month.
About the Author
