Home / Technology / AI Malware Uses Gemini Chatbot for Stealth
AI Malware Uses Gemini Chatbot for Stealth
19 Feb
Summary
- New Android malware 'PromptSpy' leverages Gemini AI for persistence.
- The malware targets users in Argentina, possibly developed in China.
- It uses Gemini to analyze screens and prevent app removal.
Security researchers have identified an unprecedented Android malware, named PromptSpy, that weaponizes Google's Gemini chatbot. This malware's primary function is to ensure its own persistence on an infected device by abusing Gemini's API. Researchers noted that the malware appears to be specifically targeting users in Argentina, with preliminary analysis suggesting its code may have been developed in China.
PromptSpy uses Gemini to interpret the user interface of an Android device. This allows the malware to analyze the current screen and receive instructions on how to keep the malicious application pinned in the recent apps list. By preventing the app from being easily terminated, PromptSpy enhances its stealth capabilities and survival rate.
The malware was found distributed through a phishing site impersonating the JPMorgan Chase Argentina banking brand. Disguised as an app named 'MorganArg,' it employed familiar branding to lure unsuspecting users. ESET, the antivirus provider that uncovered PromptSpy, shared its findings with Google, which automatically protects Android users via Google Play Protect.
Removing PromptSpy is challenging due to its design, which includes invisible overlays that block uninstall and force-stop functions. Victims typically need to reboot their devices into Safe Mode to remove the malware. This discovery marks a significant escalation in the use of generative AI by threat actors, following previous instances of AI-assisted malware like Promptflux and Promptsteal.
