PromptSpy

PROMPTSPY’s “GeminiAutomationAgent” module serializes the device’s visible UI hierarchy into XML, sends it to Gemini’s gemini-2.5-flash-lite model, and receives structured JSON commands...

“AI-enabled malware, such as PROMPTSPY, signal a shift toward autonomous attack orchestration, where models interpret system states to dynamically generate commands and manipulate victim environments.”

If the victim device becomes inactive, PROMPTSPY operators can utilize Firebase Cloud Messaging (FCM) to relaunch the backdoor, allowing the threat actor to continue their intrusion activity without alerting the victim.

“…cached versions revealed they were likely trying to imitate a Chase Bank website.”

“distributed through malicious websites impersonating Chase Bank, using branding like ‘MorganArg.’ A related phishing app… helps deliver the final payload.”

“AI-enabled malware, such as PROMPTSPY, signal a shift toward autonomous attack orchestration, where models interpret system states to dynamically generate commands and manipulate victim environments.”

When a victim tries to uninstall it, PromptSpy locates the uninstall button on screen and places an invisible layer over it, intercepting the victim's tap so the button appears not to work.

“PromptSpy deploys a VNC module for remote control, abuses Accessibility Services to block removal…” … “After installation, it requests Accessibility permissions…” … “To prevent removal, it overlays invisible elements over uninstall buttons.”

If the victim device becomes inactive, PROMPTSPY operators can utilize Firebase Cloud Messaging (FCM) to relaunch the backdoor, allowing the threat actor to continue their intrusion activity without alerting the victim.

GTIG also highlighted PROMPTSPY ... that abuses the Gemini API and accessibility features to interact with the Android user interface (UI) in an automated fashion.

If the victim device becomes inactive, PROMPTSPY operators can utilize Firebase Cloud Messaging (FCM) to relaunch the backdoor, allowing the threat actor to continue their intrusion activity without alerting the victim.

GTIG also highlighted PROMPTSPY ... that abuses the Gemini API and accessibility features to interact with the Android user interface (UI) in an automated fashion.

If the victim device becomes inactive, PROMPTSPY operators can utilize Firebase Cloud Messaging (FCM) to relaunch the backdoor, allowing the threat actor to continue their intrusion activity without alerting the victim.

If the victim tries to uninstall PROMPTSPY, the malware employs its 'AppProtectionDetector' module to identify the on-screen coordinates of the 'Uninstall' button. The malware renders an invisible overlay directly over the button as a shield that silently intercepts and consumes the victim's touch events, making the button appear unresponsive to the user.

According to the researchers, the role of the prompt is to assign a benign persona so it can bypass the LLM's safety features.

it intercepts uninstall attempts by rendering an invisible overlay over the uninstall button to silently consume touch events.

Promptspy used the Gemini API as an Android backdoor to analyze UI structure and simulate clicks, swipes, and even included a delete sabotage feature.

When a victim tries to uninstall it, PromptSpy locates the uninstall button on screen and places an invisible layer over it, intercepting the victim's tap so the button appears not to work.

PROMPTSPY embeds a module called GeminiAutomationAgent that sends a serialized XML representation of the victim device’s current UI hierarchy... and parses the model’s structured JSON response into specific touch coordinates and gesture commands.

placing a transparent overlay over the “delete” button to intercept touch events when the victim tries to delete the app

“PromptSpy submits a natural language prompt to Gemini, together with an XML dump of the device's current screen, and the chatbot returns JSON instructions for what action to perform and where to perform it…”

It can also capture biometric replay artifacts to re-authenticate to a locked device

Promptspy used the Gemini API as an Android backdoor to analyze UI structure and simulate clicks, swipes, and even included a delete sabotage feature.

“ESET calls it PromptSpy, malware whose primary goal is to deploy a VNC module that hands hackers remote control of infected devices.”

PROMPTSPY embeds a module called GeminiAutomationAgent that sends a serialized XML representation of the victim device’s current UI hierarchy... and parses the model’s structured JSON response into specific touch coordinates and gesture commands.

placing a transparent overlay over the “delete” button to intercept touch events when the victim tries to delete the app

“PromptSpy submits a natural language prompt to Gemini, together with an XML dump of the device's current screen, and the chatbot returns JSON instructions for what action to perform and where to perform it…”

The malware contains an autonomous module that maps the visible layout of a device's screen, sends that layout to Gemini and receives back precise coordinates and gesture instructions like clicks and swipes that it then executes to navigate the phone on the attacker's behalf.

If the victim device becomes inactive, PROMPTSPY operators can utilize Firebase Cloud Messaging (FCM) to relaunch the backdoor, allowing the threat actor to continue their intrusion activity without alerting the victim.

Promptflux : A self-morphing dropper that calls the Gemini API to periodically rewrite its own source code

PROMPTSPY, an Android backdoor... sends a serialized XML representation of the victim device’s current UI hierarchy to the gemini-2.5-flash-lite model... and parses the model’s structured JSON response into specific touch coordinates and gesture commands

Specifically, the malware’s command-and-control (C2) infrastructure, including the Gemini API keys and the VNC relay server, can be updated dynamically via the C2 channel.

“uses encrypted C2 communications.” … “communicates with its C2 server using AES-encrypted VNC traffic.”

Promptspy used the Gemini API as an Android backdoor to analyze UI structure and simulate clicks, swipes, and even included a delete sabotage feature.

Investigators identified an autonomous component called "GeminiAutomationAgent," which reportedly relies on a hardcoded prompt to help the malware evade AI safety mechanisms.