ProptSpy: Android malware that uses generative IA to browse interfaces and take remote control

Security researchers have identified a new variant of malware for Android that, for the first time according to analysts, integrates a generative model of artificial intelligence into its running chain to achieve persistence in the device. The show, baptized as ProptSpy by the firm ESET, not only spy on the user: it takes advantage of the model's ability to interpret interfaces and return specific instructions that the Trojan himself runs through the system's accessibility services.

The mechanism is disturbing in its operational simplicity. The malware contains both the model identifier and an initial instruction that assigns to the IA the role of automation assistant. In running time it takes a structured snapshot of the screen - an XML flip that describes each element of the interface, its type, text and position - and sends it to the generative service. The answer it receives is not a text thought for humans, but a set of indications in JSON format that indicate what action to do (for example, click on a specific coordinate) and where.

With that feedback, ProptSpy can browse menus, accept permissions, set on the list of recent applications and apply a succession of interactions until the malicious application is anchored and difficult to close. All this is done without user pulsations, as the execution of actions is done through accessibility services, which allow simulating interactions in the interface.

The ultimate purpose of the project is to give the attacker full remote access. The software incorporates a VNC module that opens a door to control the device screen and transmit video. In addition, it has the ability to capture the screen, intercept lock data (such as patterns or input to the PIN screen), record the activity and take catches at the request of the command and control server. The C2 server that has been observed also delivers, when appropriate, the Gemini API key that malware uses to communicate with the model.

The campaign, according to forensic analysis, does not distribute its applications through Google Play: it is promoted through a dedicated website that acts as a dropper. The installer opens a page that passes through a banking service, in this case with references to an entity called "MorganArg" to target users in Argentina, and requests the user to activate the installation from unknown origins to be able to download the malicious APK. During its execution the dropper consults a server that was to provide the URL of the next payload, although at the time of the study that server no longer responded.

Language signs and distribution vectors point to a financial motivation and a preference for targets located in Argentina, although there are also signs that development occurred in a Chinese-speaking environment: the binaries contain simplified Chinese cleansing chains. In addition, ESET considers that ProptSpy is a more sophisticated evolution of a previous family recently detected on platforms such as VirusTotal.

From the technical point of view the relevant novelty is how the attackers have combined two so far independent elements: the use of accessibility services - a well-known Android technique to automate interactions - with the ability of the generative models to interpret the structure of a screen and decide precise steps depending on it. The result is a more flexible malware that can be adapted to different versions of the system and different interface designs, something that makes it more difficult to defend itself with static signatures or rules that assume fixed interaction flows.

For users the practical recommendation is clear: never install applications from unverified sources and distrust links or installers that simulate bank updates or critical services. If a malicious app is able to block the uninstallation by invisible overlaps, the most reliable way to recover is to restart the device safely - an option that disables third party apps and allows to remove them. Google describes the process to enter secure mode on this official support page: Restart the device in safe mode.

It is also advisable to keep the operating system and applications up-to-date, use reputable mobile security solutions and review the permissions given to each application; accessibility services, in particular, should be reserved for reliable apps. Organizations and researchers can consult samples and signals in community analysis tools such as VirusTotal and follow security firm reports to understand new techniques. The ESET technical report that describes ProptSpy in detail is available on the WeLiveSecurity blog: ProptSpy analysis.

Beyond the specific case, this incident highlights a worrying trend: artificial intelligence tools, designed to assist and automate legitimate tasks, can also enhance more adaptive and scalable attacks. We are facing a qualitative leap in the ability of malicious actors to automate interaction with heterogeneous interfaces, which increases the need for controls in the design of APIs, limits on the use of models from third-party applications and improvements in the safety of the operating system itself.

The race between defenders and attackers is complicated when intelligence is outsourced to third parties. It is therefore important that manufacturers, model providers and the security community work on measures that make it difficult to use generatives - from commercial policies and use controls to behavioural detection on mobile devices. Meanwhile, the best defense for an individual user remains the common digital sense: not to download apps of dubious origin, to review permissions and, in the face of the suspicion of infection, to resort to ways of recovery and to reliable professionals.