First Generative AI-Powered Android Malware Discovered

- PromptSpy’s primary function is to deploy a Virtual Network Computing (VNC) module, which allows attackers to remotely view the infected device's screen and perform actions. Its use of generative AI is a secondary, albeit significant, feature specifically for maintaining persistence. - The malware sends a snapshot of the device's screen to the Gemini AI, which then provides step-by-step instructions on how to perform the specific gestures needed to pin the malicious app in the recent apps list, preventing it from being easily closed. - This is the second AI-powered malware discovered by ESET Research; the first was an AI-driven ransomware named PromptLock, found in August 2025. - Based on language localization clues and distribution methods, the campaign appears to be financially motivated and primarily targets Android users in Argentina. The malware impersonates the Morgan Chase bank, with an app name of "MorganArg". - Beyond its AI-driven persistence, PromptSpy abuses Android's Accessibility Services to carry out its malicious activities, which include capturing lockscreen data, recording screen video, and blocking uninstallation attempts with invisible overlays. - To remove the malware, a user must reboot the device into Safe Mode, which disables third-party apps and allows for normal uninstallation, as the invisible overlays used to block removal will not be active. - While PromptSpy uses AI for in-attack adaptation, nation-state hacking groups from China, Iran, and North Korea have been observed using large language models like Gemini for pre-attack activities, including target reconnaissance, code generation, and vulnerability research. - The use of AI allows malware like PromptSpy to be more dynamic and resistant to user interface (UI) changes across different Android devices and versions, a significant evolution from malware that relies on hardcoded interactions.