It seems every other day we’re told how artificial intelligence will cure diseases, solve climate change, and perhaps even make our morning coffee. But for every utopian promise, there’s always a darker, more pragmatic reality waiting in the wings. Well, that reality has just knocked on the door of our smartphones. A new piece of AI-powered malware called PromptSpy is making the rounds, and it’s a nasty piece of work that offers a chilling glimpse into the future of cybercrime.
This isn’t just another bit of dodgy code that steals your contacts. PromptSpy is smarter. It uses Google’s own Gemini AI as an external brain to understand your phone’s screen and manipulate it. Think of it less as a pre-programmed robot and more as a remote-controlled puppet with a cunning strategist pulling the strings.
The New Playbook: Malware That Thinks
For years, Android malware has been a bit, well, dumb. It relied on hard-coded instructions designed for specific versions of Android or specific device layouts. If a button wasn’t exactly where the code expected it to be, the attack would fizzle out. It was effective, but brittle.
PromptSpy changes the game entirely. As detailed by security researchers at ESET, this malware doesn’t need a rigid script. Instead, it abuses the device’s Accessibility Services—a common tactic—to take a screenshot of whatever is on your display. It then sends this image to the Gemini AI with a simple prompt: “How do I click the button to pin this app?” Gemini, being the helpful AI that it is, analyses the image and sends back precise coordinates and instructions to navigate the user interface.
This is a monumental shift. The malware can now adapt to any device, any language, and any custom UI. It’s like a burglar who, instead of using a stolen key, has a master locksmith on a video call guiding them through picking whatever lock they encounter. This makes the attack incredibly resilient and scalable, representing one of the most sophisticated mobile security threats we’ve seen.
A Step-by-Step Heist
So, how does this all come together? The attack, observed targeting users in Argentina, starts with a classic lure. Victims are tricked into downloading a fake banking app, “MorganArg,” from a non-official website—a stark reminder of the dangers of sideloading applications.
Once installed, the app relentlessly pesters the user for Accessibility Service permissions. Granting this is like handing over the keys to your house. With this access, PromptSpy kicks its scheme into high gear:
– Achieving Immortality: The malware’s primary goal is using Gemini to navigate the recent apps screen and pin itself. This is one of the more cunning persistence techniques I’ve come across. By pinning itself, the user can no longer simply swipe it away to close it. It just sits there, always running.
– Blocking Removal: If you try to uninstall the app, PromptSpy throws an invisible overlay on top of the confirmation button. You think you’re tapping “Uninstall,” but you’re actually tapping thin air, and the malware stays put.
– Total Surveillance: Beyond its AI trick, PromptSpy contains a VNC (Virtual Network Computing) module. This component, which links it to a family of malware known as VNCSpy, effectively turns your phone into a public screen for the attacker. They can see everything you do and remotely control the device, exploiting VNC vulnerabilities to the fullest. This combination of intelligent automation and direct remote access is what makes these automated attacks so potent.
Researcher Lukáš Štefanko, who uncovered the threat, put it bluntly: “PromptSpy shows that Android malware is beginning to evolve in a sinister way.” He’s not wrong. The barrier to creating highly adaptive malware just dropped significantly.
The Broader Implications
While PromptSpy is currently a geographically focused threat in Argentina, the technique is globally applicable. The developers, believed to be from a Chinese-speaking environment, have created a blueprint. Now, any bad actor with API access to a powerful generative AI can replicate this model to target any region, any bank, or any group of users.
What does this mean for mobile security? It means that signature-based detection—looking for known pieces of malicious code—is becoming less effective. Security tools now need to focus on behaviour. Is an app taking frequent screenshots? Is it making unusual API calls to an AI service? Is it trying to manipulate core UI elements?
The defence is shifting from spotting the known enemy to spotting suspicious actions. For Google, this is a particularly thorny problem. How do you stop malicious actors from abusing your own powerful AI tools without crippling them for legitimate users? There are no easy answers here.
How to Protect Yourself (And Recover If You’re Hit)
The good news is that for all its cleverness, PromptSpy still relies on a user making a critical mistake. Here’s how you can stay safe:
– Never Sideload Apps: Only install applications from the official Google Play Store. The fake “MorganArg” app was distributed through a website, bypassing all of Google’s security checks.
– Guard Accessibility Services: Be extremely sceptical of any app that asks for Accessibility Service permissions, especially if it’s not a trusted tool designed for users with disabilities. This is the single most powerful permission you can grant an app.
– Check Your Pinned Apps: If an app you don’t recognise is pinned in your recent apps list and you can’t swipe it away, that’s a major red flag.
If you suspect your device is infected, conventional uninstallation won’t work due to the overlay trick. As reported in The Hacker News, you’ll need to reboot your phone into Safe Mode. This mode loads the OS with only the essential system apps, disabling third-party ones like PromptSpy. Once in Safe Mode, you can navigate to your settings and uninstall the malicious app without interference.
The emergence of AI-powered malware like PromptSpy isn’t just an evolution; it’s the start of a new arms race. The tools we’re building to improve our lives can, and will, be turned against us. The question now is, are the defenders innovating as quickly as the attackers? And what happens when the malware doesn’t just ask for instructions, but starts learning and making its own decisions?
