ESET Discovers First Android Malware Using Generative AI
What happened
Cybersecurity firm ESET Research has discovered the first known Android malware, named PromptSpy, that abuses generative AI in its execution. The malware uses prompts to Google’s Gemini AI model to guide malicious user interface manipulation and achieve persistence on an infected device. This novel method allows the malware to capture lockscreen data and block uninstallation attempts.
Why it matters
- Beyond achieving persistence, PromptSpy's primary function is to deploy a Virtual Network Computing (VNC) module, which allows attackers to remotely view the infected device's screen and perform actions. This malware can also gather device information, take screenshots, and record screen activity. - The generative AI component of PromptSpy is specifically used to make the malicious app "locked" or pinned in the recent apps list, preventing it from be easily swiped away or terminated by the operating system. To do this, the malware sends an XML dump of the current screen to the AI model, which then provides step-by-step instructions for the necessary taps and swipes to pin the app. - This is the second piece of AI-powered malware discovered by ESET Research, the first being PromptLock in August 2025, which was described as the first known AI-driven ransomware. - Based on language localization clues and distribution methods, the campaign appears to be financially motivated and primarily targeting users in Argentina. The malware, named "MorganArg," seems to impersonate the Morgan Chase bank to target its victims. - PromptSpy has not been detected in ESET's telemetry, which suggests that it may currently be a proof of concept rather than a widespread threat. - The malware is distributed through a dedicated website and has not been found on the Google Play Store. As a partner in the App Defense Alliance, ESET has shared its findings with Google, and Google Play Protect now automatically protects users from known versions of this malware. - To remove PromptSpy, a user must reboot their device into Safe Mode. This disables third-party apps, allowing the user to uninstall the malicious application without interference from the malware's uninstallation-blocking feature.
Key numbers
- This is the second piece of AI-powered malware discovered by ESET Research, the first being PromptLock in August 2025, which was described as the first known AI-driven ransomware.
What happens next
- The malware, named "MorganArg," seems to impersonate the Morgan Chase bank to target its victims.
- PromptSpy has not been detected in ESET's telemetry, which suggests that it may currently be a proof of concept rather than a widespread threat.
Quick answers
What happened in ESET Discovers First Android Malware Using Generative AI?
Cybersecurity firm ESET Research has discovered the first known Android malware, named PromptSpy, that abuses generative AI in its execution. The malware uses prompts to Google’s Gemini AI model to guide malicious user interface manipulation and achieve persistence on an infected device. This novel method allows the malware to capture lockscreen data and block uninstallation attempts.
Why does ESET Discovers First Android Malware Using Generative AI matter?
Beyond achieving persistence, PromptSpy's primary function is to deploy a Virtual Network Computing (VNC) module, which allows attackers to remotely view the infected device's screen and perform actions. This malware can also gather device information, take screenshots, and record screen activity. The generative AI component of PromptSpy is specifically used to make the malicious app "locked" or pinned in the recent apps list, preventing it from be easily swiped away or terminated by the operating system. To do this, the malware sends an XML dump of the current screen to the AI model, which then provides step-by-step instructions for the necessary taps and swipes to pin the app. This is the second piece of AI-powered malware discovered by ESET Research, the first being PromptLock in August 2025, which was described as the first known AI-driven ransomware. Based on language localization clues and distribution methods, the campaign appears to be financially motivated and primarily targeting users in Argentina. The malware, named "MorganArg," seems to impersonate the Morgan Chase bank to target its victims. PromptSpy has not been detected in ESET's telemetry, which suggests that it may currently be a proof of concept rather than a widespread threat. The malware is distributed through a dedicated website and has not been found on the Google Play Store. As a partner in the App Defense Alliance, ESET has shared its findings with Google, and Google Play Protect now automatically protects users from known versions of this malware. To remove PromptSpy, a user must reboot their device into Safe Mode. This disables third-party apps, allowing the user to uninstall the malicious application without interference from the malware's uninstallation-blocking feature.
