Android Malware Exploits Gemini for Device Navigation

• AI Integration Method: PromptSpy submits natural language prompts to Gemini along with an XML dump of the device's current screen state, receiving JSON-formatted instructions in return[1] • Persistence Mechanism: Uses Gemini to generate step-by-step UI navigation instructions to lock the malicious app in Android's Recent Apps list, preventing easy termination[2][3] • Prompt Structure: Initial system prompt instructs Gemini to act as an Android automation assistant, analyze UI XML data, and output operation instructions in JSON format with explicit warnings against guessing task completion[2] • Execution Flow: Malware executes Gemini-suggested actions (taps, swipes, navigation) through Accessibility Services, then returns updated screen state for next iteration until Gemini confirms task completion[2][3] • Command & Control: Communicates with C&C server at 54.67.2.84 using VNC protocol with AES-encrypted messages for receiving Gemini API keys and exfiltrating data[2] • Anti-Removal Protection: Weaponizes Accessibility Services by overlaying invisible rectangles over critical buttons containing substrings like 'stop,' 'end,' 'clear,' and 'Uninstall' to intercept uninstallation attempts[2] • Predefined AI Model: The AI model and prompt are hardcoded and cannot be changed by threat actors, limiting flexibility but ensuring consistent behavior[1][4] • Distribution: Delivered through dedicated website rather than official app stores; never appeared on Google Play Store[4]

PromptSpy demonstrates a significant evolution in Android malware tactics by showing how generative AI can overcome a fundamental limitation of traditional mobile automation—the brittleness of hardcoded UI coordinates and selectors across device variants. This proof-of-concept establishes a template that threat actors could replicate and expand upon, potentially using AI for more sophisticated evasion techniques beyond persistence. The integration of AI into malware execution flow represents a new attack surface where defenders must consider not only traditional malware signatures but also AI-assisted behavioral adaptation. However, the narrow scope of AI usage in PromptSpy (limited to persistence) suggests that widespread adoption may require further development. The discovery also highlights the dual-use nature of generative AI APIs and may prompt cloud providers to implement stricter monitoring of suspicious automation patterns. Organizations should anticipate that future Android malware may leverage AI for credential harvesting, lateral movement, and dynamic evasion in ways that current detection mechanisms are not optimized to identify.