John
Hidden inside Android devices, researchers spotted something never seen before – a malware line called PromptSpy using generative AI during its operation. Instead of old-style code tricks, it leans on powerful tools like Google’s Gemini to work through complex actions right on the phone.
While past versions stuck to simpler patterns, this one shifts on the fly, adapting with help from modern artificial intelligence. The change gives it sharper abilities, tougher staying power. Not just another step forward – it hints at how smart attacks could become routine on phones.
It started at the beginning of 2026. In January, basic forms of a program named VNCSpy showed up on VirusTotal, sent from Hong Kong. Come February 10th, upgraded builds emerged – this time from Argentina.
Over time, these shifted into something sharper: PromptSpy, splitting its attack into two parts – a setup file followed by the core malicious code.
Distribution sources hint at movement under the radar. Not found on Google Play – instead, it traveled through sketchy online spots. These locations pretended to offer a bank application tailored for people in Argentina.
Instead of rigid steps, PromptSpy leans on artificial intelligence to keep going. Most old-school Android malware follows set rules – like poking exact spots on screen or sliding fingers down strict routes.
Change the layout, though, or roll out a new OS version, and those tricks fail fast. Here’s where it shifts: rather than rely on hardcoded moves, it ships screenshots plus structured data in XML straight to Gemini, tagging each with plain-words directions.
At times, the system watches what appears on screen – text, buttons, spots – and sends back clear directions using JSON, such as “hold touch at point x,y.”
Following those moves, the harmful code proceeds, keeps checking its progress, then halts once Gemini confirms the app sits fixed among recent tasks. Locked status comes with a small lock symbol, meaning it cannot be brushed aside easily.
One feature inside PromptSpy’s set of tools uses an AI-like method. Running in the background, a hidden VNC component aims to take command from afar.
After someone allows Accessibility Services, a false progress display misleads them – it makes victims believe hackers see and operate the device freely. From a distance, intruders press buttons, move through screens, enter text, observing each step live.
Data flows using the VNC standard toward a fixed address: 54.67.2[.]84, shielded by AES encryption. Video footage captures lock screen attempts, exposing PINs or swipe patterns.
From there, it sends back info on what apps are present, how the display is being used, plus hardware specifics. Screenshots get requested at will. Specific app usage gets recorded too, pulled straight from the infected device. Hidden layers sit on top of exit buttons, making it hard to leave.
Touches get blocked by Accessibility tools, though the person sees nothing strange. Leftover test messages suggest things were built fast.
Words in Chinese appear inside logs, along with actions tuned for that audience. But then – fake bank names in Spanish show up, mimicking Chase for people in Argentina. The goal seems tied to grabbing login details from afar
PromptSpy Spreads and Hides
One day, people started getting software from a place named mgardownload[.]com – gone now. Opening that first file brought up m-mgarg[.]com, built to look like JPMorgan Chase but calling itself MorganArg, using a logo and title hinting at Morgan Argentina.
This fake app had company – a second phishing tool signed with the same digital key, showing the same false website, maybe tricking folks into grabbing the actual harmful version by pretending it was an update.
To get infected, each person had to say yes to installing apps from outside sources, something risky many tend to ignore. Since passed details along through its role in the App Defense Alliance, Google Play Protect has been stopping familiar versions of these files.
PromptSpy needs Accessibility access once it starts up – this unlocks everything it can do. A “Loading, please wait” message pops up, just to distract while it talks with Gemini behind the scenes.
Different phones like Samsung or Google Pixel get handled through smart adjustments made on the fly.
Say Gemini gives directions: hold an app preview in recent apps, next choose the lock symbol. From XML bounds such as [left, top][right, bottom], positions shift toward center points. Adaptation happens naturally across different interface styles or screen sizes
Fixed prompts hide within the software, locked into place. Traffic logs reveal actual conversations with Gemini – requests fly out, answers come back in structured data form. Not total machine control, just focused intelligence nudging one crucial phase forward.
What does it mean overall? Hackers beat rigid shields by tapping familiar AI platforms – a pattern spotted earlier when Dr.Web faced trouble on Android devices.
Fake traffic once came from basic bots, yet now tools such as Gemini understand everyday language, allowing smarter tasks to run on their own. Back in August 2025, spotted PromptLock – a virus that locked data using prompts – then later arrived PromptSpy, a version built for phones
Malware Can Steal Data Damage Systems And Disrupt Operations
What hides inside PromptSpy? Loads of sneaky features built to watch. From device details like model type right down to operating system flavor – data piles up fast. Think about every app on a phone showing itself, even ones handling money.
Picture a screen recording that catches how someone unlocks their phone. Remote control follows finger taps from afar, making scams feel real. Control shifts without touching the hardware at all. Stopping removal? That is what overlays aim for when words like uninstall come up.
Running upfront or starting at device boot keeps things going, no matter the reset. Information moves hidden, locked tight before it ever reaches command servers. Sneaky filters stand no chance against scrambled traffic
Money seems the reason behind attacks on Argentina, since phishing scams around banks are common there. Because hackers can get in remotely, they move funds, seize accounts, or plant ransomware.
If nothing shows up in system logs, that might point to limited reach – or someone hiding well. It could be just a test, yet domain names suggest actual missions. Those installing apps outside official stores run the biggest danger, particularly when tricked by counterfeit banking updates.
Removing PromptSpy Safely
One way to stop those hidden layers? Blocking them instead of removing. A fresh start in Safe Mode makes it possible. Press and hold the power button, then touch and hold “Power off” until a new option appears – choose “Reboot to Safe Mode.” Each phone handles this differently.
On some Samsungs, tapping the volume down key while starting up does the trick. Pixels go through the recovery screen.
Once inside Safe Mode, outside apps shut off automatically. That opens space for Settings > Apps > MorganAccessibility to run without interference.
Return by restarting like usual. Sometimes a quick scan helps. Try using Play Protect. Unknown APK files often bring trouble – skip them. Before saying yes to Accessibility access, take a look at what the app wants. Permissions can tell you more than reviews do.
Android security considerations
Now here comes a twist – tools built to assist are turning into weapons. Gemini-like systems, designed for good, adapt fast enough to serve criminal moves instead. When old code stumbles across fractured setups – say, one app trying to run on both a Xiaomi and a Pixel – chaos follows.
Yet AI cuts through the clutter, crafting tailored strikes that stick. Watch what happens next. Others will borrow this playbook, slipping past guards using smart fakes, trick emails, or chained breaches.
Fighting back takes smart tools now, especially to catch strange app behaviors or unusual access patterns. Odd signs pop up when programs tap into Gemini APIs without clear reason.
Google fixed some loopholes tied to installing outside stores, yet sharp attention still matters. Watchfulness can’t stop just because updates arrive.
Last year saw mobile malware climb twenty percent, data shows. These financial trojans quietly drain billions from accounts.
Because people in Argentina rely heavily on digital banks, attackers test new tools there first – often crafted by developers linked to China. Watching these shifts closely helps experts respond faster.
Indicators of Compromise:
MITRE ATT&CK Mapping
A hidden tool on Android devices quietly sticks around by hooking into recent apps, thanks to Google’s Gemini artificial brain. Remote watchers gain access through VNC, letting them peek without showing up on screen
A signal fires off the screen’s layout to Gemini, which replies with precise touch moves – tap here, swipe there – to lock the app in place, no matter the phone’s look. Each gesture adjusts on the fly, fitting whatever interface shows up
Might not show up in telemetry just now. Still, those domains point to something running live.
True, familiar threats get stopped by Play Protect – leaving it active helps. It spots recognized malware before it causes trouble. Running it adds a quiet layer of defense over time. Protection works best when enabled without pause. Stay cautious even if safeguards are running.
Site: thecybrdef.com
Reference: Source
