First Android Malware Using Generative AI Discovered
ESET researchers have discovered "PromptSpy," the first known Android malware to abuse generative AI in its execution flow. The malware uses prompts to Google’s Gemini model to guide malicious UI manipulation, capture lockscreen data, and achieve persistence on the device. This represents a novel attack vector where AI is used to directly control malicious actions.
- The malware's use of generative AI is specifically for ensuring its own persistence; it sends an XML dump of the device's live user interface to Google's Gemini model to receive JSON-formatted instructions for the exact taps and swipes needed to "lock" the malicious app in the recent apps list, preventing it from being easily closed. - PromptSpy is believed to be an advanced version of a previously discovered Android malware called VNCSpy and appears to be distributed through a phishing site impersonating the JPMorgan Chase Argentina banking brand. The app itself is named "MorganArg," likely a shorthand for "Morgan Argentina," and uses an icon inspired by Chase Bank. - Beyond its AI-driven persistence, PromptSpy's primary function is to grant attackers remote access to the infected device through a built-in Virtual Network Computing (VNC) module. This allows attackers to capture lockscreen data, record screen activity, take screenshots, and block uninstallation attempts by placing invisible overlays on the screen. - The malware abuses Android's Accessibility Services to execute the actions suggested by the AI and to carry out its other malicious activities without user input. This is a common tactic for Android malware, as Accessibility Services provide broad control over the device's interface and can be used to bypass Android's permission system. - While discovered by ESET researchers, PromptSpy has not yet been observed in their wider telemetry, suggesting it may currently be a proof of concept. However, Google Play Protect automatically protects Android users against known versions of this malware. - This is the second AI-powered malware discovered by ESET, following a ransomware named "PromptLock" in August 2025. PromptLock was later revealed to be a research project to demonstrate the potential dangers of AI in malware. - Analysis of the code revealed debug strings and event handlers written in simplified Chinese, suggesting the developer may be from a Chinese-speaking environment. The initial samples of its predecessor, VNCSpy, were first uploaded to VirusTotal from Hong Kong. - To remove PromptSpy, a user would need to reboot the device into Safe Mode, which disables third-party apps, and then uninstall the malicious application. This is necessary because the malware is designed to block uninstallation attempts in normal operating mode.
