First Android Malware Using Generative AI Discovered
ESET researchers discovered "PromptSpy," the first known Android malware to abuse generative AI in its execution. The malware uses prompts to an AI model, specifically Google's Gemini, to guide malicious UI manipulation and can capture lockscreen data.
- The malware, dubbed "PromptSpy," uses its AI component to achieve persistence on a device by analyzing the screen's XML layout and instructing the malware on how to navigate the UI to pin itself to the recent apps list. This makes it adaptable to various Android versions and device layouts, a significant advancement from malware that relies on hardcoded screen coordinates. - PromptSpy's primary function is to deploy a Virtual Network Computing (VNC) module, which grants attackers remote access and control over the compromised device. Its capabilities include capturing lockscreen data, recording screen activity, taking screenshots, and blocking uninstallation attempts using invisible overlays. - Evidence suggests the malware was developed in a Chinese-speaking environment and is distributed through a dedicated website impersonating JPMorgan Chase, targeting users in Argentina. It has not been detected on the Google Play Store, and Google Play Protect now blocks known versions of this malware. - This is the second AI-related malware discovered by ESET, following "PromptLock" in August 2025, which was later revealed to be a research project by New York University engineers. Other AI-assisted malware includes FruitShell, PromptSteal, and QuietVault, as detailed by Google's Threat Intelligence Group in November 2025. - While the AI component in PromptSpy is currently limited to a single function, researchers note its potential to make malware more dynamic and automate actions that are difficult with traditional scripting. The malware's core functions still rely on traditional techniques. - To remove PromptSpy, users must reboot their device into Safe Mode, which disables third-party apps and allows for uninstallation. This is necessary because the malware uses Accessibility Services to create invisible overlays that prevent uninstallation through normal methods. - The use of generative AI by threat actors is a growing trend, with nation-state actors from Iran, China, North Korea, and Russia using models like Gemini for reconnaissance, malware development, and crafting social engineering campaigns. Another malware family, "HONESTCUE," also uses the Gemini API to generate and execute malicious code.
