ESET Discovers First Android Malware Using Generative AI
What happened
Security firm ESET has discovered PromptSpy, the first known Android malware to abuse generative AI in its execution. The malware uses prompts to Google's Gemini model to guide malicious user interface manipulation and capture lockscreen data. This represents the first time generative AI has been deployed in this manner to help malware achieve persistence on a device.
Why it matters
- PromptSpy's primary function is to deploy a Virtual Network Computing (VNC) module, which grants attackers remote access to view the device's screen and perform actions. This enables them to capture lockscreen PINs or passwords, record the screen to get unlock patterns, and take screenshots. - The malware sends an XML file with user interface data to Google's Gemini, which then returns JSON instructions on where to tap or swipe to lock the malware in the "recent apps" list, ensuring it survives a reboot. This makes the malware highly adaptable to different device layouts and operating system versions. - To prevent removal, PromptSpy overlays transparent rectangles over buttons containing words like "uninstall" or "force stop," which intercept user taps and make manual deletion difficult. The only way for a user to remove the malware is by rebooting the device into Safe Mode. - While PromptSpy is the first Android malware to use generative AI for in-execution UI manipulation, ESET previously discovered a proof-of-concept AI-driven ransomware called PromptLock in August 2025. Another malware, Android.Phantom, has used TensorFlow machine learning models for ad fraud. - Evidence suggests the malware was created by Chinese developers and is financially motivated, with a distribution domain that impersonated JPMorgan Chase Bank to target users in Argentina. - Despite its novel use of AI, PromptSpy has not yet been widely detected by ESET's telemetry, leading researchers to believe it may currently be a proof-of-concept rather than a widespread threat.
Key numbers
- While PromptSpy is the first Android malware to use generative AI for in-execution UI manipulation, ESET previously discovered a proof-of-concept AI-driven ransomware called PromptLock in August 2025.
What happens next
- Evidence suggests the malware was created by Chinese developers and is financially motivated, with a distribution domain that impersonated JPMorgan Chase Bank to target users in Argentina.
- Despite its novel use of AI, PromptSpy has not yet been widely detected by ESET's telemetry, leading researchers to believe it may currently be a proof-of-concept rather than a widespread threat.
Quick answers
What happened in ESET Discovers First Android Malware Using Generative AI?
Security firm ESET has discovered PromptSpy, the first known Android malware to abuse generative AI in its execution. The malware uses prompts to Google's Gemini model to guide malicious user interface manipulation and capture lockscreen data. This represents the first time generative AI has been deployed in this manner to help malware achieve persistence on a device.
Why does ESET Discovers First Android Malware Using Generative AI matter?
PromptSpy's primary function is to deploy a Virtual Network Computing (VNC) module, which grants attackers remote access to view the device's screen and perform actions. This enables them to capture lockscreen PINs or passwords, record the screen to get unlock patterns, and take screenshots. The malware sends an XML file with user interface data to Google's Gemini, which then returns JSON instructions on where to tap or swipe to lock the malware in the "recent apps" list, ensuring it survives a reboot. This makes the malware highly adaptable to different device layouts and operating system versions. To prevent removal, PromptSpy overlays transparent rectangles over buttons containing words like "uninstall" or "force stop," which intercept user taps and make manual deletion difficult. The only way for a user to remove the malware is by rebooting the device into Safe Mode. While PromptSpy is the first Android malware to use generative AI for in-execution UI manipulation, ESET previously discovered a proof-of-concept AI-driven ransomware called PromptLock in August 2025. Another malware, Android.Phantom, has used TensorFlow machine learning models for ad fraud. Evidence suggests the malware was created by Chinese developers and is financially motivated, with a distribution domain that impersonated JPMorgan Chase Bank to target users in Argentina. Despite its novel use of AI, PromptSpy has not yet been widely detected by ESET's telemetry, leading researchers to believe it may currently be a proof-of-concept rather than a widespread threat.
