- Security researchers have discovered PromptSpy, an advanced Android malware that abuses Google’s Gemini AI for persistence and device control.
- The malware is designed to capture lockscreen data, block uninstallation, gather information, take screenshots, and enable remote VNC access, primarily targeting users in Argentina.
- PromptSpy signifies a new evolution in mobile threats, using generative AI to adapt to any device UI, making conventional removal techniques ineffective.
Cybersecurity researchers at ESET have announced the discovery of the first known Android malware, codenamed PromptSpy, that actively exploits Google’s Gemini AI chatbot to maintain control over infected devices according to a recent report. The malware, distributed outside of Google Play via a dedicated website, uses Gemini to analyze the device’s screen and receive step-by-step instructions for locking the app in the recent apps list, preventing it from being killed.
Consequently, the primary function of PromptSpy is to deploy a VNC module that grants attackers remote access to the victim’s device. It also uses accessibility services to overlay invisible elements on the screen, blocking standard uninstallation attempts and capturing sensitive lockscreen data.
The campaign is financially motivated and, based on language clues, primarily targets users in Argentina. Meanwhile, evidence in the code, including debug strings in simplified Chinese, suggests PromptSpy was developed in a Chinese-speaking environment, as noted by researcher Lukáš Štefanko.
This use of AI makes the malware highly adaptive to different device layouts and Android versions. The only effective removal method is for victims to reboot the device into Safe Mode to uninstall third-party apps.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
