Protecting Your Mobile App from AI-Powered Malware (PromptSpy)
Introduction
With the rise of advanced threats like AI-driven Android malware, attackers are no longer just stealing data—they are interacting with apps like real users. Malware such as PromptSpy can read screens, perform actions, and bypass traditional controls.
This blog provides a simple, practical guide to protect your mobile app.
Why This Threat is Different
Uses screen capture + accessibility services
Controlled by AI (dynamic, not hardcoded attacks)
Mimics real user behavior
Can bypass OTP and basic security checks
👉 Traditional controls alone are no longer enough.
Impact on Applications
Unauthorized transactions
Account takeover
Data leakage (credentials, OTP, financial info)
Fraud executed in real-time
Recommended Fixes to Protect Android App from PromptSpy-like Malware
To protect the Android application from PromptSpy-like malware, the application should implement a layered security approach covering screen protection, accessibility abuse detection, overlay prevention, runtime threat monitoring, stronger authentication, behavioral fraud controls, and sensitive data protection.
- Block Screen Capture: The app should enable
FLAG_SECUREon sensitive screens such as login, OTP, payment, beneficiary management, account details, and transaction confirmation screens to prevent screenshots, screen recording, and screen casting.
getWindow().setFlags(
WindowManager.LayoutParams.FLAG_SECURE,
WindowManager.LayoutParams.FLAG_SECURE
);
- Detect & Restrict Accessibility Abuse: The application should also detect misuse of Android Accessibility Services, as malware commonly abuses accessibility permissions to read screen content and perform automated clicks. The app should check enabled accessibility services and restrict access where unknown or high-risk services are active.
AccessibilityManager am =
(AccessibilityManager) getSystemService(Context.ACCESSIBILITY_SERVICE);
List<AccessibilityServiceInfo> services =
am.getEnabledAccessibilityServiceList(
AccessibilityServiceInfo.FEEDBACK_ALL_MASK
);
- Prevent Overlay Attacks (Tapjacking) : To reduce the risk of fake screens and tapjacking, the app should detect overlay permissions and block sensitive actions when overlay is active. Sensitive buttons and input fields should reject obscured touches using
filterTouchesWhenObscured.
if (Settings.canDrawOverlays(context)) {
// Block sensitive action or show warning
}
android:filterTouchesWhenObscured="true"
Runtime Threat Detection (RASP): The application should implement Runtime Application Self-Protection (RASP) controls to detect rooted devices, debugging attempts, emulators, hooking frameworks, suspicious background services, screen recording attempts, and abnormal runtime behavior. Where high risk is detected, the app should step up authentication, restrict sensitive functions, or terminate the session.
Avoid Relying Only on OTP: The app should not rely only on OTP, as OTP can be captured from the screen. Instead, it should use stronger controls such as device binding, push-based approval, transaction signing, and step-up authentication for high-risk actions. Transaction signing should bind the approval to key transaction details such as amount, beneficiary, account number, and currency, so malware cannot reuse approval for a different transaction.
Fraud Controls: The application should also implement behavioral and fraud controls to detect AI-driven automation. This includes monitoring abnormal navigation patterns, rapid clicks, unusual typing behavior, repeated failed attempts, unusual device fingerprint changes, and high-risk transaction patterns. Suspicious sessions should be blocked, challenged, or routed for additional verification.
Secure Sensitive Data in UI : Sensitive information displayed in the UI should be minimized and masked wherever possible. Account numbers, card numbers, customer identifiers, balances, OTPs, tokens, and personal data should not be fully displayed unless required. Sensitive values should be masked, cleared when the app goes to background, and removed after timeout.
@Override
protected void onPause() {
super.onPause();
// Clear or mask sensitive data when app goes to background
}
Overall, the fix should ensure that even if malware is present on the user’s device, it cannot easily view sensitive screens, automate actions, overlay fake interfaces, capture OTPs, or perform fraudulent transactions without being detected by runtime, behavioral, and backend fraud controls.