The first such malware. He will steal everything, including the money from the account
The software was named PromptSpy and, according to ESET, it is derived from another malware family called VNCSpy. What’s so special about it? This is the first or one of the first malware on Android that uses generative AI, specifically – which seems a bit absurd – the Google Gemini model.
PromptSpy malware for Android
How does Gemini malware use? In an unusual way. On some phones, you can pin apps to your recently used list. This way, Android does not delete it when we turn off all apps en masse and it continues to run in the background.
The thing is that the method for pinning apps varies depending on the phone manufacturer. Well, that’s why PromptSpy takes a screenshot in XML form and sends it to Gemini. The app then responds with instructions in JSON format on how to pin the app. The malware executes them thanks to permissions within the Android Accessibility Service. It then queries the AI again to confirm that the process was successful.
According to ESET, malware can:
- Upload a list of installed applications.
- Capture screen lock PINs or passwords.
- Record your screen unlock pattern as a video.
- Takes screenshots on demand.
- Record screen activity and user gestures.
- Report the current background app and screen status.
This provides great opportunities to take over accounts in social media, applications and various services, and can potentially lead to the deletion of a bank account.
In the introduction, I wrote that the software could attack Android users. Maybe, because there is no evidence for it yet. According to ESET, PromptSpy may act as a kind of proof of concept for now and show that the use of AI is possible. However, VirusTotal claims that it has already found traces of malware used in a campaign impersonating JPMorgan Chase bank.
