First Android Malware Using Generative AI Discovered
Cybersecurity firm ESET discovered the first known Android malware that uses generative AI in its execution. Named 'PromptSpy', the threat abuses Google's Gemini model to guide malicious user interface manipulations. The malware can reportedly capture lockscreen data and is the first time generative AI has been deployed in this manner to achieve persistence on a device.
- PromptSpy leverages generative AI to overcome device fragmentation; it sends an XML dump of the current user interface to Google's Gemini model, which then returns JSON-formatted instructions on how to perform the specific gestures needed to "pin" the malicious app, ensuring persistence across different Android versions and manufacturer skins. - For enterprise CISOs, threats like PromptSpy validate major concerns around AI adoption, primarily the risk of data leakage and the integration of third-party AI capabilities into vendor products without sufficient documentation or risk management. A recent survey found that 68% of security leaders are concerned about third-party software supply chain risk, viewing the integration of opaque, third-party AI models as a convergence of two major threat vectors. - While PromptSpy's primary function is spyware enabled by a Virtual Network Computing (VNC) module for remote access, its use of AI for persistence is a novel tactic. This follows a trend of increasingly sophisticated AI-powered threats, such as the AI-driven ransomware 'PromptLock' discovered by ESET in August 2025. - The incident highlights security risks in agentic AI architectures, where autonomous systems can execute multi-step tasks. Security frameworks are now evolving to address threats unique to agentic systems, such as goal hijacking, tool misuse, and identity abuse by AI agents, which traditional AI security models did not account for. - Investor sentiment in the AI space remains strong, with AI companies accounting for 58% of total VC investments, though there is increasing selectivity. However, incidents like this can heighten scrutiny, pushing investors to favor startups with robust safety and ethical considerations integrated into their product development. - This new threat vector complicates enterprise procurement of AI tools, which is already shifting from pilot projects to enterprise-wide adoption in 2026. The discovery will likely lengthen procurement cycles as security teams add new requirements to vendor assessments to verify how AI capabilities are implemented and secured against manipulation.
