Introduction
The boundaries between artificial intelligence and malware have just blurred further. For years, security professionals have warned about Large Language Models (LLMs) crafting sophisticated phishing emails or writing malicious code. However, researchers at ESET have uncovered a terrifying evolution: PromptSpy, the first known Android malware that actively abuses Google’s Gemini AI as a functional component of its execution flow.
This isn't just AI-generated malware; it is malware that uses AI. By integrating Gemini into its attack chain, PromptSpy automates persistence mechanisms—specifically targeting 'Recent Apps'—while simultaneously exfiltrating sensitive data like lockscreen credentials, device information, and screenshots. This discovery marks a shift from AI as a creator of threats to AI as an enabler of real-time malicious activity.
Analysis: The Gemini-Enabled Attack Vector
PromptSpy represents a sophisticated leap in Mobile Malware-as-a-Service (MaaS) capabilities. Its most novel feature is the abuse of the Gemini AI chatbot to automate persistence.
The Mechanism of Abuse
Traditionally, Android malware relies on complex native code or accessibility services to navigate the user interface (UI) and keep itself running in the background. PromptSpy offloads this cognitive load to Gemini.
- Execution Flow: The malware likely injects prompts into the Gemini interface or utilizes the Gemini API (if accessible via compromised credentials or SDK misuse) to analyze the device's state.
- Recent-Apps Persistence: By querying Gemini, the malware can interpret the visual output of the "Recent Apps" screen. It uses the AI to determine if the malicious app has been swiped away or if the OS is attempting to hibernate it, then automates the re-launch or masking process based on the AI's interpretation.
- Data Exfiltration: Beyond persistence, PromptSpy utilizes standard Android overlays to capture lockscreen patterns and PINs. It blocks uninstallation by abusing accessibility services to grant itself persistent permissions, making manual removal nearly impossible for the average user.
This "Living off the Land" (LotL) approach—using a trusted, high-privilege AI application to perform malicious logic—helps the malware evade traditional heuristic detection. To the security stack, traffic to Google’s AI servers may appear legitimate, masking the malicious command-and-control (C2) data embedded within the prompts.
Threat Hunting & Detection
Detecting PromptSpy requires a shift in mindset. We are no longer just looking for malicious binaries; we are looking for abnormal interactions between legitimate AI applications and third-party processes.
1. KQL Query (Microsoft Sentinel / Defender for Endpoint)
Use this KQL query to hunt for Android devices making excessive or suspicious calls to generative AI endpoints combined with accessibility service usage.
let AIPatterns = dynamic(["generativelanguage.googleapis.com", "googleapis.com/generative"]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (AIPatterns)
| join kind=inner (
DeviceProcessEvents
| where FileName endswith ".apk" or InitiatingProcessFileName endswith ".apk"
| where InitiatingProcessCommandLine has "accessibility" or FileName has "accessibility"
) on DeviceId
| summarize RequestCount = count(), DistinctIPs = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName, RemoteUrl
| where RequestCount > 10 // Threshold for AI API calls from a single app
| order by RequestCount desc
| project DeviceName, SuspiciousApp = InitiatingProcessFileName, AIEndpoint = RemoteUrl, RequestCount, DistinctIPs
2. Python Fingerprinting Script
This Python script can be used by SOC analysts to scan a directory of extracted Android APKs for suspicious imports or string references related to PromptSpy's behavior, specifically looking for API hooks into Google AI services.
import os
import zipfile
import re
def scan_for_promptspy(apk_path):
"""
Scans an APK file for strings and manifest entries indicative of PromptSpy behavior.
"""
suspicious_indicators = [
r"generativelanguage",
r"google\.ai\.generativelanguage",
r"gemini\.google\.com",
r"BIND_ACCESSIBILITY_SERVICE",
r"SYSTEM_ALERT_WINDOW"
]
findings = []
try:
with zipfile.ZipFile(apk_path, 'r') as z:
# Check AndroidManifest.xml for permissions
if 'AndroidManifest.xml' in z.namelist():
manifest = z.read('AndroidManifest.xml').decode('utf-8', errors='ignore')
for pattern in suspicious_indicators:
if re.search(pattern, manifest, re.IGNORECASE):
findings.append(f"Manifest match: {pattern}")
# Check classes.dex for AI API calls (rudimentary string search)
# In a real scenario, use androguard to decompile dex files properly
if 'classes.dex' in z.namelist():
# Note: This is a simplified check on binary data, not disassembled code
# Ideally, decompile DEX to smali first.
pass
except Exception as e:
return [f"Error reading APK: {str(e)}"]
return findings if findings else ["Clean (No immediate indicators)"]
# Usage Example
# for root, dirs, files in os.walk("/path/to/apks"):
# for file in files:
# if file.endswith(".apk"):
# result = scan_for_promptspy(os.path.join(root, file))
# print(f"{file}: {result}")
3. PowerShell for Log Analysis
If your organization exports mobile device management (MDM) logs to a centralized Windows server, use this PowerShell script to parse CSV logs for signs of unauthorized Accessibility Service activation.
param (
[string]$LogPath = ".\MDM_Device_Export.csv"
)
if (-not (Test-Path $LogPath)) {
Write-Error "Log file not found."
exit
}
$Logs = Import-Csv -Path $LogPath
# Filter for Android devices granting Accessibility Services to non-system apps
$SuspiciousEvents = $Logs | Where-Object {
$_.OSPlatform -eq "Android" -and
$_.PermissionGranted -eq "android.permission.BIND_ACCESSIBILITY_SERVICE" -and
$_.AppPackageName -notmatch "^com\.android\.|^com\.google\."
}
if ($SuspiciousEvents) {
Write-Host "[ALERT] Potential PromptSpy-like Activity Detected:" -ForegroundColor Red
$SuspiciousEvents | Format-Table DeviceID, AppPackageName, Timestamp, PermissionGranted -AutoSize
} else {
Write-Host "No suspicious accessibility grants found." -ForegroundColor Green
}
Mitigation Strategies
To defend against PromptSpy and similar AI-abusing malware:
- Restrict Accessibility Services: Enforce MDM policies that prevent non-essential applications from requesting Accessibility Services. This is the primary vector for PromptSpy's persistence and data theft.
- Network Egress Filtering: Monitor and, if possible, restrict access to public Generative AI APIs from non-whitelisted corporate mobile devices.
- Application Vetting: Block the installation of apps from third-party stores. PromptSpy is typically distributed via social engineering or trojanized applications on unofficial repositories.
- User Education: Train users to recognize the signs of malware, such as unexpected pop-ups, apps that cannot be uninstalled, or rapid battery drain caused by background AI processing.
Security Arsenal Plug
The emergence of AI-infused malware like PromptSpy demonstrates that traditional signature-based antivirus is no longer sufficient. You need a partner who understands the evolving threat landscape.
At Security Arsenal, our Penetration Testing services include specific mobile application attack simulations that test your apps against persistence mechanisms similar to PromptSpy. Furthermore, our Red Teaming operations can help you test your detection capabilities against these novel "living-off-the-land" AI attacks. If you are overwhelmed by the complexity of managing mobile endpoints, our Managed Security team provides 24/7 monitoring to catch threats before they achieve persistence.
Stay vigilant. The attackers are learning—and now, they are thinking with AI.
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.