First Android Malware to Leverage Generative AI in its Execution Flow: A New Era of Cyber Threats

Post Views: 11

Researchers Discover Android Malware Employing Generative AI for Enhanced Persistence

A newly identified strain of Android malware, dubbed PromptSpy, has been found to leverage generative AI in its execution flow, marking a significant milestone in the evolution of mobile threats. This innovative approach enables the malware to adapt to various device configurations and Android versions, thereby expanding its potential victim pool.

PromptSpy’s Primary Function and Persistence Mechanism

PromptSpy’s primary function is to establish a remote connection to a victim’s device via a built-in VNC module, granting operators unfettered access. The malware achieves persistence by utilizing Google’s Gemini AI model to provide step-by-step instructions for pinning the malicious app to the recent apps list, effectively “locking” it in place. This tactic allows the malware to maintain its presence on the device even after a reboot.

The malware achieves persistence by utilizing Google’s Gemini AI model to provide step-by-step instructions for pinning the malicious app to the recent apps list, effectively “locking” it in place.

Additional Malicious Activities

In addition to its AI-driven persistence mechanism, PromptSpy employs Accessibility Services to block uninstallation attempts by overlaying invisible elements on the screen. The malware also captures lockscreen data, records screen activity as video, and communicates with its command and control server via AES encryption.

Origin and Distribution

Researchers believe that PromptSpy is financially motivated, primarily targeting users in Argentina. The malware is distributed through a dedicated website and has not been observed on the Google Play Store. As a result, Android users with Google Play Services enabled on their devices are automatically protected against known versions of this malware through Google Play Protect.

Removal and Prevention

Victims of PromptSpy can remove the malware by rebooting their device into Safe Mode, where third-party apps are disabled and can be uninstalled normally. To do so, users should press and hold the power button, then long press Power off and confirm the Reboot to Safe Mode prompt. Once in Safe Mode, users can navigate to Settings → Apps → MorganArg and uninstall the malware without interference.

Conclusion

The emergence of AI-powered malware like PromptSpy underscores the need for users to remain vigilant and proactive in protecting their mobile devices from evolving threats.