PromptSpy Malware on New Android

PromptSpy malware on the new Android. Gemini has been used to help make decisions.

When it comes to services that start with Prompt, many people might think of a convenient payout service like PromptPay or a similar service for businesses like PromptBiz, but this time there is another thing that uses the same word, but not financial services, but a new, intelligent malware.

According to a report by the website Cyber Security News, a new malware focused on attacking the Android operating system called PromptSpy. This malware has something more special than others. Google's AI or Artificial Intelligence, Gemini, has been used to help make decisions. This malware was first detected during February 10, last year, by a research team from ESET, a popular anti-malware tool developer, which the research team detected from four samples uploaded from Argentina to its website. VirusTotal, a website for monitoring computer viruses, called the detected malware the first to use such a technique that is currently detected.

In that investigation, it was discovered that the malware was spread by impersonating an application of the Argentine branch of JPMorgan Chase Bank N.A. under the name MorganArg, or "Morgan Argentina," which was spread through a closed fake website called mgardownload [.] com. The app was a forgery of the bank's login page. In the investigation, it was found that the malware had a string value written in Chinese, as well as an event manager in the Accessibility Mode implementation in Chinese, making it predictable that the hackers behind the development Probably a group of Chinese hackers, but at present there is no evidence of an epidemic yet, according to ESET's Telematry data, but out of all the infrastructure discovered, the malware has been found to be very ready to spread in the real world.

Unlike normal malware, this malware saves the Live User Interface in an XML file format and sends it to Gemini with a Hardcoded Prompt written in Natural Language to allow Gemini to analyze and make decisions based on real situations. After analysis, Gemini sends commands in the JSON file format containing the Swipe and Tap Instruction commands, the app lock commands in the most recently opened app part. (Lock App in Recent App), Pin fake apps in the Multitasking View section of the screen with the app locked out. For example, working with Gemini is a Feedback Loop. Malware sends new data to Gemini for comments every action. These are different from traditional malware that uses Harcoded commands. They often fail when working on a screen of a certain size or User. A different interface to a given one.

In addition to the Gemini implementation, the malware has also implemented the VNC (Virtual Network Computing) module to remotely control the victim's machine. It operates through communication with the AES encrypted C2 or Command and Control server. After the malware has access to the Accessibility mode, hackers can control the screen on the machine through the VNC channel. The fake application has an anti-removal system by creating a button stack with string values such as "stop," "end," "clear," and " Uninstalled "cannot be pressed. The deletion method must enter Safe Mode and delete only through Settings → Apps → MorganArg.

# Trending # Lemon 8 Howtoo # lemon 8 diary # Malware # freedomhack