Security researchers have uncovered an Android malware that connects to Google’s Gemini chatbot to help it persist on an infected device.
The malware appears to be targeting users in Argentina, and there are signs that a hacker in China developed its code, according to antivirus provider ESET. “We discovered the first known Android malware to abuse generative AI in its execution flow,” adds ESET researcher Lukas Stefanko.
The malware has been dubbed “PromptSpy” because it sends predefined prompts to Gemini’s API, ultimately installing a module that allows hacker-enabled remote access to the Android device. ESET says the Gemini component of the malware is relatively minor, but it performs an important function by leveraging Google’s chatbot tech to interpret the user interface on an infected Android device.
This Tweet is currently unavailable. It might be loading or has been removed.
“Specifically, Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system,” ESET wrote in the report. “Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims.”
The company traced the malware to a phishing site at “m-mgarg[.]com,” which appeared to be delivering PromptSpy through a related domain “mgardownload[.]com.” Both domains were found offline. However, ESET spotted evidence that sites were dressed up to impersonate the JPMorgan Chase Argentina banking brand.
“The malware uses similar branding, with the app name MorganArg and the icon inspired by Chase Bank,” the company added. “ MorganArg, likely a shorthand for ‘Morgan Argentina,’ also appears as the name of the cached website, suggesting a regional targeting focus.”
ESET discovered PromptSpy after samples of the malware were uploaded from Argentina to Google’s malware-checking service, VirusTotal, earlier this month. The first stage of the attack prompts the user to grant permission to install the malicious app MorganArg. If permission is granted, the attack will then contact a hacker-controlled server to install the remaining malware. This includes a Virtual Networking Computing module while requesting Accessibility Service permissions, enabling the hacker’s remote access to the Android device.
“This allows the malware operators to see everything happening on the device, and to perform taps, swipes, gestures, and text input as though they were physically holding the phone,” ESET says, noting the malware can also intercept the lockscreen PIN and record the user’s screen.
Removing the malware is difficult. PromptSpy has been designed to overlay “transparent rectangles on specific screen areas” that are invisible to the user and can block taps on the uninstall and force stop functions to shut down the MorganArg app. “The only way for a victim to remove it is to reboot the device into Safe Mode, where third‑party apps are disabled and can be uninstalled normally,” ESET said.
The computer code for PromptSpy also contains Chinese language, suggesting a hacker from China was behind its creation. “It should be noted that we haven’t yet seen any samples of the PromptSpy dropper or its payload in our telemetry, which might indicate that both of them are just proofs of concept,” ESET said. Still, the phishing site m-mgarg[.]com suggests that PromptSpy may already have been targeting select users in Argentina.
PromptSpy is the latest malware attack to harness generative AI. In November, Google warned about two Windows-based malware strains dubbed “Promptflux” and “Promptsteal” that will also connect to generative AI models to execute instructions. In addition, Anthropic recently discovered hackers using its Claude AI chatbot to help plan large-scale data extortion campaigns and to develop ransomware.
ESET adds that it never found the PromptSpy malware on the Google Play Store. “As an App Defense Alliance partner, we nevertheless shared our findings with Google. Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services.”
Google didn’t immediately respond to a request for comment. But the company has likely revoked the malware’s access to Gemini.
About Our Expert
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
-
Programmer: Microsoft Ran My Work Through AI, Inserted Embarrassing Typos
-
Microsoft Previews Built-In Speed-Test Tool for Windows 11
-
California City Bans Contracts With Elon Musk’s Companies, Except for Starlink
-
Students Beware: Services That Help You Cheat Could Be an Extortion Scheme
-
YouTube Faces Outage Traced To Recommendations System
-
More from Michael Kan
