A recent strain of Android malware is leveraging the power of artificial intelligence, marking a significant escalation in mobile cybersecurity threats. ESET researchers have identified “PromptSpy,” a malicious application that utilizes Google’s Gemini AI model to establish a persistent foothold on compromised devices and gain extensive control.
The malware disguises itself as a legitimate application, such as a fake banking app called “MorganArg,” to trick users into installing it. Once installed, PromptSpy requests various permissions and upon granting those permissions, it gains the ability to manage nearly all device functions, according to ESET’s analysis.
FULL CONTROL OVER DEVICES
PromptSpy grants attackers a wide range of capabilities on infected phones. Researchers found that attackers can monitor the screen in real-time, read messages, initiate money transfers, and steal passwords. The application also employs techniques to hinder removal, disabling critical keys through invisible layers, making it difficult to shut down.
Experts note that this effectively gives attackers control of the phone as if they were holding it physically.
A NEW GENERATION OF ATTACKS POWERED BY AI
What sets this malware apart is its use of artificial intelligence. PromptSpy sends the current screen image of the phone to Gemini. The AI then analyzes the screen as a human would, instructing the malware on which steps to take. This allows the malicious software to operate effectively across different Android versions and a wide variety of devices, without relying on specific command sequences. The ability to adapt to different interfaces represents a new level of sophistication in mobile malware.
Analysis suggests the software developers may be linked to a Chinese-speaking environment. The fake application has not been detected in official app stores.
Researchers emphasize the importance of downloading applications only from trusted sources, particularly through Google Play. They also advise caution when granting broad permissions, such as access to accessibility services, as misuse of these permissions can lead to remote control of the device.
HOW TO PROTECT YOURSELF
According to ESET, regular system updates can help reduce the risk. Users who suspect an infection can often remove the problematic application by booting the device into safe mode. Devices with Google Play Protect enabled may also be able to detect known versions of the malware.
