It was always going to happen, wasn’t it? The same AI assistants we ask for recipes or to settle pub quiz arguments are now being co-opted for far more sinister purposes. We’ve been so busy marvelling at what generative AI can do for us that we’ve spent precious little time on what it can do to us. Now, the bill is coming due, and it looks a lot like a piece of malware called PromptSpy.
This isn’t just another incremental update in the cybersecurity cat-and-mouse game. This is a fundamental shift in the attacker’s toolkit. The arrival of malware that actively uses a large language model (LLM) like Google’s Gemini to think on its feet represents a new and deeply worrying frontier in AI security threats.
The Assistant Becomes the Attacker
Let’s be clear about what security researchers at ESET have uncovered. According to their recent findings, detailed by publications like The Hacker News, a new piece of Android malware dubbed PromptSpy is doing something unprecedented. It’s not just stealing your data; it’s using an AI to figure out the best way to keep stealing it.
This is the evolution from VNCSpy, its less sophisticated predecessor. While VNCSpy required a human operator to manually control an infected device through a Virtual Network Computing (VNC) connection, PromptSpy automates the grim work. It uses Google’s Gemini to analyse what’s on your screen and then generates instructions for itself on how to navigate the user interface.
Think about that for a second. Traditional malware is like a burglar with a fixed plan and a crude map. It tries a door, then a window. If they’re locked, it might give up. Adaptive malware like PromptSpy is more like a professional thief who can improvise. It sees a locked door, spots a faint light coming from a side window, analyses the latch, and figures out how to pick it on the fly. This is the new reality of vulnerability exploitation.
A New Breed of Vulnerability Exploitation
So, how does it actually work? PromptSpy, distributed through a fake banking website masquerading as a JPMorgan Chase entity in Argentina, tricks users into granting it powerful accessibility permissions. This has long been a weak point in mobile security, as these services have legitimate uses but can be abused to grant an app god-like control over a device.
Once inside, its primary mission is persistence. It needs to stay alive, even if you try to close it. Here’s the real kicker, as ESET researcher Lukáš Štefanko explained: “Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list.”
The malware essentially looks at your phone’s “recent apps” screen, understands the layout thanks to Gemini, and then simulates the taps and swipes needed to “lock” itself in place. It even uses subtle tricks like creating an invisible overlay to block you from manually uninstalling it. It combines this AI-driven cleverness with a VNC module, allowing a remote attacker to take full control if needed. This isn’t just code; it’s code with a co-pilot.
The core techniques at play include:
– Abuse of Accessibility Services: The front door for taking control of the UI.
– Screen Analysis via AI: The “brains” of the operation, understanding what it’s “seeing”.
– Automated UI Interaction: Executing the plan to maintain persistence.
– VNC for Manual Override: A backdoor for a human attacker if the AI gets stuck.
This combination makes PromptSpy a formidable threat, representing a significant step up in the sophistication of financial Trojans.
The Dawn of Adaptive Malware
PromptSpy is the poster child for a new category of threat: adaptive malware. This isn’t just malware that can change its signature to avoid detection. This is malware that can observe its environment, process that information, and alter its behaviour in real-time to achieve its goals.
The implications are enormous. Imagine malware that could:
– Analyse security warning pop-ups and figure out how to dismiss them correctly.
– Read your emails or messages to craft unique, hyper-personalised phishing attacks against your contacts.
– Adapt its data exfiltration methods based on the network environment to avoid detection by security software.
We are moving from a world of predictable, script-based attacks to one of dynamic, intelligent ones. LLMs provide attackers with a cheap and scalable way to build logic that would have previously required a team of developers or a hands-on human operator. This is a game-changer for AI security threats, tipping the scales in the attackers’ favour.
Can Our Defences Adapt in Time?
So, the obvious question is: what can we do about it? Our current defense mechanisms are largely built for the old world. Antivirus software looks for known signatures. Network firewalls look for suspicious patterns of traffic. These are necessary, but they may no longer be sufficient.
Fighting adaptive malware requires adaptive defences. Security systems will themselves need to become smarter.
– Behavioural Analysis: Instead of just looking for what an app is, we need to focus more on what it’s doing. An app simulating user taps at a machine-like speed should be a massive red flag. Polling user behaviour and device interactions to spot non-human patterns becomes critical.
– AI-Powered Detection: The only way to fight fire is with fire. Defensive AI models must be trained to recognise the subtle footprints of malicious AI. This is the new arms race. Can our defensive AI outsmart their offensive AI?
– Zero-Trust on Mobile: The principle of “never trust, always verify” needs to be more rigorously applied to mobile devices. Granting broad accessibility permissions should come with far more friction and scarier warnings.
The discovery of PromptSpy, while concerning, is also a vital wake-up call. Security firms and platform owners like Google and Apple must now pivot to address this new dimension of mobile security.
The genie, as they say, is out of the bottle. We’ve built these incredibly powerful reasoning engines and made them available to the world. It was naive to think that only the good guys would find creative uses for them. PromptSpy is likely just the beginning, a proof-of-concept for a new generation of intelligent threats. The next few years will be defined by this struggle between AI-driven attacks and AI-driven defences.
So, as we move forward, the question isn’t if more AI-powered malware will appear, but what form it will take. What happens when this technique is perfected and deployed not against a few thousand banking users in one country, but against millions of devices globally? What’s your take on how we can possibly get ahead of this curve?
