ProptSpy: the first Android malware that uses generative IA to control the interface and spy in real time

Security researchers have identified what seems to be the first malware family for Android that directly incorporates a generative intelligence model into its running flow. The piece, named by analysts like PromptSpy, was described by the ESET team after analyzing samples that appeared in public malware analysis services. The novelty is not that the code uses IA to generate phishing emails or malicious content, but that it calls a language model in running time to decide what actions to do on the infected device interface. You can check the ESET technical report here: WeLiveSecurity / ESET.

The mechanism that ProptSpy uses is based on Google's Gemini model. The malware captures an XML flip from the active screen - a structured list of visible IU elements, their tags, types and coordinates - and sends it next to a prompt to the model. Gemini returns instructions in JSON format that describe what interaction to do on screen to, for example, "block" or "set" the application in the view of recent applications. The malware runs those instructions through the Android Accessibility service, reads the new state of the screen and repeats the loop until the model confirms that the application was fixed.

This behaviour has a clear objective: persistence. On many Android devices there is an option to "block" or "anchor" an app in the list of recent; when an application is set, the system is less likely to complete its process during memory cleaning or when the user press "Delete All." For a legitimate app that avoids background job interruptions; for a spyware like ProptSpy, it ensures that the malicious code is kept alive longer. The problem for malware authors is that the implementation and location of that function vary a lot between brands and Android versions, and that's where the adaptive capacity of the language model is useful.

Beyond persistent innovation, the main purpose of ProptSpy is espionage. The analyses show that it includes a VNC module that, when the application has Accessibility privileges, allows attackers to view and control the device screen in real time. The capabilities attributed to it include the capture of screens and video from the unlocking pattern, reading and possible interception of PIN or passwords from the lock screen, listing of installed applications and recording of the application in the foreground and user gestures. In addition, when the victim tries to uninstall the app or revoke permissions, the malware places invisible rectangles on system buttons so that, by pressing them, the legitimate action does not run and the uninstallation is blocked.

Uninstall this type of threat may need steps out of the ordinary: researchers explain that the Android Safe Mode restart - which disables third-party applications - is the most reliable way to remove the malicious application if the overlap locking mechanism is active. In this regard, ESET has not so far reported extensive ProptSpy detections in its telemetry, so it is still unclear whether it is an advanced concept test or a limited circulation malware. However, the fact that some samples could have been distributed through dedicated domains and a page that imitated a bank suggests that it could have been used in real attacks; you can see the news coverage reports on BleepingComputer: BleepingComputer and explore sample analysis in services such as VirusTotal.

If it is confirmed that the use of Gemini or other LLM in running time is widespread, the consequences for mobile cybersecurity are relevant. The IA provides the attackers with a "brain" capable of interpreting heterogeneous interfaces and generating interaction sequences adapted to each device, which reduces the dependence on rigid scripts that fail to small variations in the interface. This adaptability facilitates automating actions that previously required specific engineering by each manufacturer, complicating the detection by signatures and the blocking by static behavior.

The emergence of ProptSpy fits into a broader trend: malicious actors and, according to intelligence group reports, even state-sponsored campaigns, are experimenting with generative models to accelerate tasks from recognition to post-commitment movements. In parallel, platform providers and security equipment should improve the monitoring and abuse limits of APIs that allow for automated interaction with the user interface.

For users and administrators, practical recommendations go through well-known but effective measures: avoid installing apps outside trusted stores, carefully review which apps request sensitive permissions such as Accessibility or the ability to draw on other applications, keep the operating system and apps up-to-date, and use additional protection such as Google Play Protect. The official Android guides on how accessibility services work and how to manage them are a good starting point for understanding technical risks: Official documentation of Accessibility Services. For general mobile security advice, you can consult government resources such as CISA: CISA - Safety Tips for Mobile Devices, and Google's explanation of how Play Protect helps protect dispenstives: Google Play Protect.

ProptSpy is, for now, an early example of how generative intelligence can be incorporated into the malicious software execution cycle itself, transforming already known techniques (persistence, remote control, uninstallation evasion) into much more flexible processes. The lesson for users and professionals is clear: the arrival of generative models to the threat ecosystem does not make threats new, but it does make them more difficult to anticipate. The defence will require maintaining basic good practices, strengthening permit controls and improving behavioural detection in mobile endpoints.