First Android Malware Using Generative AI Discovered

- The primary function of PromptSpy is to gain remote control of an infected device using a built-in Virtual Network Computing (VNC) module, which allows attackers to view the screen and perform actions as if they were physically holding it. This access enables them to intercept lockscreen PINs, record pattern unlocks as video, take screenshots, and upload lists of installed apps. - To achieve persistence, PromptSpy sends an XML dump of the device's current screen to the Gemini AI model with a natural language prompt, asking for instructions on how to "pin" the malicious app in the recent apps list. Gemini then returns JSON-formatted instructions detailing the specific taps and gestures needed, which the malware executes through the device's Accessibility Services, overcoming variations in user interfaces across different Android versions and manufacturers. - The malware prevents its own removal by using the Accessibility Service to create invisible overlays on top of buttons like "Uninstall" or "Force Stop," which intercept user taps and make it difficult to disable the malicious app. The only effective way to remove PromptSpy is to reboot the device into Safe Mode, where third-party apps are disabled and can be uninstalled. - This malware is considered an advanced version of a previously unknown Android threat called VNCSpy, which first appeared on the VirusTotal platform in January 2026. Analysis of distribution vectors and language clues suggests the campaign is financially motivated and primarily targets users in Argentina, with phishing websites impersonating JPMorgan Chase's Argentinian brand. - While PromptSpy is the first *Android* malware to use generative AI in its execution, ESET researchers previously discovered PromptLock in August 2025, the first known instance of AI-driven ransomware. However, PromptLock was later revealed to be a research project by engineers at New York University to demonstrate the potential dangers of AI in malware. - The use of generative AI in malware is an emerging trend, with other examples including FruitShell, which used AI prompts to bypass detection, and HONESTCUE, which uses the Gemini API to receive and execute malicious C# code. Threat actors are also using public trust in AI services to host social engineering content that tricks users into installing malware. - Security researchers have previously identified vulnerabilities in Google's Gemini, such as "Promptware" attacks where malicious instructions are hidden in calendar invites and shared documents. These "indirect prompt injection" attacks exploit the trust boundary between user-controlled content and the AI model's processing, allowing for potential data exfiltration without user action.