Google: AI used to create zero-day 2FA bypass

Google’s Threat Intelligence Group disclosed Monday that unknown threat actors deployed an AI-generated Python script to implement a zero-day bypass of two-factor authentication (2FA) in a widely used open-source, web-based system administration tool. Google worked with the vendor to disclose and patch the flaw and described the activity as part of a coordinated mass vulnerability exploitation operation.

The exploit relied on valid user credentials and a high-level semantic logic error tied to a hard-coded trust assumption. Google assessed with high confidence that an artificial intelligence model was used to discover and weaponize the flaw. The company identified multiple indicators typical of large language model output, including abundant educational docstrings, a hallucinated Common Vulnerability Scoring System (CVSS) value, and a highly structured, textbook Python style with detailed help menus and formatting elements found in LLM training data.

Google linked the zero-day case to other AI-assisted abuse. An Android backdoor tracked as PromptSpy used an AI model to analyze on-screen content and instruct the malware to pin itself in the recent apps list. PromptSpy can navigate Android interfaces, monitor real-time activity through an autonomous agent module, capture biometric gestures to replay authentication patterns, and block uninstallation by placing an invisible overlay over the Uninstall button. The backdoor can update API keys and relay servers at runtime via its command-and-control channel. Google disabled assets tied to PromptSpy and reported no infected apps on the official Play Store.

The report described further incidents involving state-linked and criminal groups using AI to accelerate operations. A suspected China-affiliated cluster prompted a model to act as a network security expert to probe embedded device firmware and a file-transfer implementation. A North Korea-linked actor submitted thousands of repetitive prompts to recursively analyze CVEs and validate proof-of-concept exploits. Russia-linked intrusion campaigns delivered malware that uses LLM-generated decoy code to hide malicious behavior.

Researchers and adversaries have fed models large collections of past vulnerability cases to steer them toward logic flaws. One GitHub repository called “wooyun-legacy” compiled more than 5,000 real-world vulnerability cases from a former disclosure platform to prime models for analysis. Other groups used agentic tools such as Hexstrike AI and Strix to automate vulnerability discovery with limited human oversight.

Google warned that attackers are obtaining premium or anonymized access to high-tier models at scale by automating account registration and cancellation and routing requests through proxy services and shadow APIs. A CISPA Helmholtz Center study identified 17 shadow APIs that claim to provide indirect model access and found substantial model substitution and drops in accuracy on a medical benchmark, with official performance on MedQA falling from about 83.8% to roughly 37% across those services. Proxy services can capture prompts and responses passing through them, creating data that could be used to fine-tune or extract model behavior.

Google reported it has disabled malicious infrastructure connected to the activity and coordinated patches with affected vendors. The company noted that AI platforms and development environments are new attack surfaces and that access to internal models or tools can be used to identify, collect and exfiltrate sensitive information or to map networks for follow-on exploitation.

Ryan Dewhurst, head of threat intelligence at watchTowr, commented: “Discovery, weaponization and exploitation are faster. We have watched timelines compress for years, and defenders must adapt to that reality.”