"For persistence, the Android malware uses a novel approach at runtime that involves sending a prompt to Google's Gemini gen-AI chatbot along with an XML file containing data about the various UI elements displayed on the screen, including their type, text, and position. Gemini uses this information to tell PromptSpy - via JSON instructions - where to tap or swipe on the screen in order to add the malware to the list of recent apps."
""When the user attempts to uninstall the payload or disable Accessibility Services, the malware overlays transparent rectangles on specific screen areas - particularly over buttons containing substrings like stop, end, clear, and Uninstall. These overlays are invisible to the user but intercept interactions, making removal difficult." "Because PromptSpy blocks uninstallation by overlaying invisible elements on the screen, the only way for a victim to remove it is to reboot the device into Safe Mode, where"
PromptSpy leverages generative AI to assist runtime interactions with an Android device. The malware deploys a VNC module to enable operators to view the screen and take full control. It gathers device information, captures lockscreen PINs or passwords, records the screen to obtain unlock patterns, and takes screenshots. For persistence, the malware sends an XML file describing UI elements and a prompt to Google's Gemini chatbot; Gemini returns JSON instructions indicating where to tap or swipe so the malware can add itself to recent apps. PromptSpy abuses Accessibility Services to execute gestures and overlays invisible rectangles to block uninstallation, requiring Safe Mode to remove.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]