Full Report
ESET researchers discover PromptSpy, the first known Android malware to abuse generative AI in its execution flow
Analysis Summary
# Tool/Technique: PromptSpy
## Overview
PromptSpy is a sophisticated Android malware family and the first known instance of mobile threats incorporating Generative AI (specifically Google Gemini) into its execution flow. Its primary purpose is to establish a Virtual Network Computing (VNC) module for remote device control, while utilizing AI to dynamically navigate diverse Android user interfaces to maintain persistence.
## Technical Details
- **Type:** Malware family (Spyware/RAT)
- **Platform:** Android
- **Capabilities:** AI-driven UI manipulation, Remote Access (VNC), screen recording, credential theft (PIN/Password), and defense evasion.
- **First Seen:** January 2026 (Campaign activity); publicly reported February 19, 2026.
## MITRE ATT&CK Mapping
- **TA0028 - Persistence**
- T1398 - Boot or Logon Initialization Scripts (BOOT_COMPLETED broadcast)
- T1541 - Foreground Persistence
- **TA0031 - Defense Evasion**
- T1516 - Input Injection (Accessibility Service abuse)
- **TA0029 - Credential Access**
- T1417.002 - Input Capture: GUI Input Capture (Lockscreen PIN/Password interception)
- **TA0032 - Discovery**
- T1426 - System Information Discovery
- T1418 - Software Discovery (Installed app list)
- **TA0035 - Collection**
- T1513 - Screen Capture (Video recording and screenshots)
- **TA0037 - Command and Control**
- T1663 - Remote Access Software (VNC module)
- T1521.001 - Symmetric Cryptography (AES encrypted C2)
- **TA0038 - Exfiltration**
- T1646 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **VNC Remote Control:** Allows operators to view the device screen and perform manual actions remotely.
- **Accessibility Service Abuse:** Used to block uninstallation attempts via invisible overlays and capture sensitive UI data.
- **Data Theft:** Collects device metadata, installed application lists, and captures lockscreen credentials.
- **Media Capture:** Capable of taking screenshots and recording screen activity as video files.
### Advanced Features
- **GenAI-Driven Persistence:** Uses Google Gemini to analyze the device screen via the Accessibility Service. The AI provides step-by-step instructions for the malware to perform the "lock app in recent apps" gesture. This allows the malware to adapt to different manufacturer skins (OEMs) and Android versions where UI paths for "pinning" apps vary.
- **Context-Aware UI Manipulation:** Unlike traditional scripts using hardcoded coordinates, PromptSpy’s use of AI allows it to interpret visual elements dynamically.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `C14E9B062ED28115EDE096788F62B47A6ED841AC` (PromptSpy Payload)
- **File Names:** `mgapp.apk`
- **Network Indicators:**
- `m-mgarg[.]com` (Phishing/Distribution)
- `mgardownload[.]com` (Distribution)
- `54.67.2[.]84` (C2 Server)
- `52.222.205[.]45` (Phishing Hosting)
- **Behavioral Indicators:** Requests for high-level Accessibility Service permissions; unexpected foreground service notifications; automated UI interactions in the "Recent Apps" menu.
## Associated Threat Actors
- **Development Environment:** Indicators suggest development in a **Chinese-speaking environment**.
- **Targeting:** Primarily focused on users in **Argentina** via localized phishing campaigns.
## Detection Methods
- **Signature-based detection:** Modern mobile security suites (including Google Play Protect and ESET) detect the SHA256 hashes associated with the PromptSpy family.
- **Behavioral detection:** Monitoring for apps requesting Accessibility Services that subsequently programmatically interact with system settings or the "Recent Apps" task manager.
- **Anomaly Detection:** Identification of unusual outbound traffic on VNC-related ports or encrypted traffic to known malicious IPs.
## Mitigation Strategies
- **App Source Control:** Avoid side-loading apps from third-party websites; stick to official stores like Google Play.
- **Permission Review:** Be extremely cautious of apps requesting "Accessibility Services," as this is the primary mechanism for PromptSpy's AI-driven actions.
- **System Updates:** Keep Android OS updated to ensure the latest security patches against UI injection and overlay attacks.
- **Play Protect:** Ensure Google Play Protect is enabled to scan for known malicious signatures.
## Related Tools/Techniques
- **PromptLock:** The first known AI-powered ransomware (Android-based).
- **Android.Phantom:** Uses TensorFlow ML models for ad fraud/automated clicking.
- **SpyNote / AhMyth:** Traditional Android RATs (though these lack GenAI integration).