Full Report
Cybersecurity researchers have discovered what they say is the first Android malware that abuses Gemini, Google's generative artificial intelligence (AI) chatbot, as part of its execution flow and achieves persistence. The malware has been codenamed PromptSpy by ESET. The malware is equipped to capture lockscreen data, block uninstallation efforts, gather device information, take screenshots,
Analysis Summary
# Tool/Technique: PromptSpy
## Overview
PromptSpy is a sophisticated Android malware family, identified by ESET, that leverages Google’s Gemini generative AI chatbot to automate UI interactions and maintain persistence. It is designed for financial gain, specifically targeting users in Argentina by masquerading as JPMorgan Chase (under the name "MorganArg"). It is notable for being the first known Android malware to use a Large Language Model (LLM) as an "Android automation assistant" to adapt to various device layouts and OS versions.
## Technical Details
- **Type**: Malware family (Spyware / Trojan / VNC module)
- **Platform**: Android
- **Capabilities**: Screen recording, screenshot capture, persistence via AI-driven UI manipulation, credential theft (PIN/Pattern/Password), and remote access via VNC.
- **First Seen**: February 2026 (Reported); initial variants (VNCSpy) appeared January 2026.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
- T1571 - Non-Standard Port (VNC usage)
- **TA0003 - Persistence**
- T1546.015 - Event Triggered Execution: Accessibility Features
- **TA0009 - Collection**
- T1113 - Screen Capture
- T1417.001 - Input Capture: Keylogging (Lockscreen PIN/Pattern)
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools (Blocking uninstallation via overlays)
## Functionality
### Core Capabilities
- **Gemini AI Integration**: Sends XML screen dumps and natural language prompts to Gemini. The AI returns JSON-formatted instructions (e.g., tap coordinates) to ensure the app remains "pinned" in the recent apps list, preventing it from being swiped away.
- **VNC Module**: Provides attackers with full remote access to the victim's device interface.
- **Data Exfiltration**: Captures lockscreen data, device information, and records screen activity as video files.
- **Accessibility Service Abuse**: Uses Android Accessibility Services to automate clicks and intercept user input without manual interaction.
### Advanced Features
- **Anti-Uninstallation**: Employs invisible overlays over system settings to intercept "Uninstall" clicks, making the app effectively impossible to remove through standard UI methods.
- **Dynamic Adaptation**: By using LLMs to interpret the UI, the malware can bypass changes in device layout or OS versions that would typically break traditional hard-coded automation scripts.
## Indicators of Compromise
- **File Hashes**:
- *Note: Specific SHA256 hashes were not provided in the source text, but samples are related to the VNCSpy family on VirusTotal.*
- **File Names**:
- MorganArg
- **Network Indicators**:
- `54.67.2[.]84` (C2 Server / VNC Protocol)
- `mgardownload[.]com` (Dropper Distribution Site)
- `m-mgarg[.]com` (Payload Hosting)
- **Behavioral Indicators**:
- Requests for Accessibility Service permissions immediately after installation.
- Persistent presence in "Recent Apps" that cannot be swiped away.
- Outbound traffic using the VNC protocol.
## Associated Threat Actors
- **Attribution**: Likely Chinese-speaking threat actors (based on simplified Chinese debug strings).
- **Motivation**: Financial (targeting Argentinian users via banking brand impersonation).
## Detection Methods
- **Signature-based detection**: Look for APKs containing strings related to the Gemini API execution flow or the VNC module components.
- **Behavioral detection**:
- Monitoring for apps that request Accessibility Services and subsequently attempt to communicate with known Gemini API endpoints using specific "Android automation assistant" prompts.
- Detection of VNC-specific traffic patterns originating from mobile devices.
- **Safe Mode Analysis**: If a device prevents uninstallation of an app via overlays, this behavior is a high-confidence indicator of PromptSpy infection.
## Mitigation Strategies
- **Prevention**: Strictly avoid downloading APKs from third-party websites (e.g., `mgardownload[.]com`). PromptSpy has never been available on the official Google Play Store.
- **Hardening**: Disable "Install from Unknown Sources" on Android devices.
- **Device Recovery**: If infected, users must reboot the device into **Safe Mode** to disable the malware's overlay/accessibility functions, allowing for a successful uninstallation.
## Related Tools/Techniques
- **VNCSpy**: An earlier, less advanced variant of the same malware family.
- **LLM-as-a-Module**: A technique where malware uses legitimate AI APIs (Gemini, ChatGPT) to conduct complex logic or UI navigation tasks.