Main points
- ESET cybersecurity specialists have discovered a new threat to Android devices – the PromptSpy virus, which uses Google Gemini AI to adapt to different versions of operating systems.
- PromptSpy is distributed via phishing sites, masquerading as the JPMorgan Chase Argentina brand, and gives attackers complete remote control over the device.
How the first Gemini-powered Android virus works / welivesecurity
Cybersecurity experts at ESET have discovered a new type of threat for Android devices – the PromptSpy malware. This is the first time that the virus uses the capabilities of the Google Gemini chatbot to gain entry into a system.
Thanks to artificial intelligence, the program adapts to different versions of operating systems and interfaces, which makes it especially dangerous for owners of modern smartphones, explained cybersecurity experts from ESET.
How exactly does artificial intelligence help the virus attack smartphones?
The malware is called PromptSpy because it contacts Google Gemini via the API using pre-prepared queries. The main function of the AI in this scheme is to interpret the user interface of the infected gadget .
Gemini analyzes the screen image and provides the virus with step-by-step instructions on how to stay in the list of recently launched applications . This prevents the system from easily terminating the malware or removing it using standard tools.
This approach allows virus developers to automatically adapt to any screen layout or Android version, significantly expanding the range of potential victims.
How does the virus spread?
PromptSpy was distributed via phishing sites masquerading as JPMorgan Chase Argentina .
- During the attack, the user is prompted to install the MorganArg application, which is actually the virus downloader.
- After obtaining permissions, the program contacts the attackers' server to install additional modules, including Virtual Networking Computing ( VNC), and requests access to the accessibility service.
Thanks to this, the virus operators gain complete remote control over the device: they can see everything on the screen, simulate taps, swipes, and enter text as if they were holding the smartphone in their hands.
PromptSpy is also capable of intercepting unlock PIN codes and recording user actions.
How to remove the virus?
It is extremely difficult to remove because the program creates invisible “transparent rectangles” above the delete or stop buttons, blocking user commands. The only way to clean the device is to use safe mode, where third-party applications are disabled.
Fragments of the virus code were found in Chinese, although the attacks themselves were directed at users in Argentina. PromptSpy has not yet been detected in the Google Play store, and standard Play Protect tools successfully protect against this threat, ComputerWeekly reports. Experts suggest that the virus may now be at the stage of a demonstration prototype.
How to protect your smartphone from viruses?
Update your system on time. Timely operating system updates close known vulnerabilities; don't ignore scheduled and emergency updates.
Block tracking : Turn off location tracking in settings and only turn it on when you need it.
Do not install apps from third-party sources. Third-party APKs or unverified apps may contain malicious code (password theft, microphone/camera access, mining, etc.).
How to protect your gadget from viruses and other online threats – read our advice article.