ESET researchers have detected a new malware called PromptSpy that targets Android devices and incorporates generative artificial intelligence into its operation. In previous cyberattacks, AI was typically used for writing code or preparing phishing pages. However, PromptSpy stands out as the first example to use this technology to make real-time decisions on the infected device.
PromptSpy leverages Google's Gemini model to adapt to the diversity of devices and interfaces within the Android ecosystem. The malware sends the screen hierarchy it collects via accessibility services to Gemini in XML format. It then interferes with the user interface based on the action instructions it receives from the model in JSON format. This approach enables the virus to operate seamlessly across different device environments.
The primary goal of the software is to provide cyber attackers with full remote control over the device. PromptSpy is reported to possess dangerous capabilities such as screen recording, capturing PINs and passwords, monitoring user movements, and collecting personal data. Experts also specifically highlighted the malware's self-protection mechanism.
Invisible Layers Deceiving the User
The virus prevents users from performing "Uninstall" or "Force Stop" actions by placing invisible layers over these buttons in the system. PromptSpy was found to be spreading through an application called "MorganArg," which mimics Morgan Chase bank. The application, not available on the official Google Play Store, is distributed via a specialized website.
Since PromptSpy prevents uninstallation by placing invisible layers on the screen, the only way to delete the application is to restart the device in Safe Mode. In Safe Mode, third-party applications are disabled, allowing users to remove the malware smoothly from the Applications menu.
0 Comments: