First Android Malware Using GenAI Discovered
ESET researchers discovered the first known Android malware that abuses generative AI as part of its execution. Named 'PromptSpy', the malware uses prompts to Google’s Gemini model to guide malicious user interface manipulations on an infected device. This method allows it to achieve persistence, capture lockscreen data, and block uninstallation.
- The core function of PromptSpy is to gain full remote control of an infected device through a Virtual Network Computing (VNC) module, allowing attackers to see the screen and perform actions in real time. The generative AI component is specifically used to make the malware more adaptable, overcoming the variety of user interfaces across different Android devices and versions to ensure it remains persistent. - This is the second AI-powered malware discovered by ESET Research, following their discovery of "PromptLock" in August 2025, which was the first known AI-driven ransomware. While other malware has used machine learning, PromptSpy is the first identified Android threat to use a generative AI model as part of its execution flow. - Evidence suggests the malware campaign is financially motivated and primarily targets users in Argentina by impersonating the Morgan Chase bank. The malicious app, named "MorganArg," was distributed via dedicated websites, not the Google Play Store. - Analysis of the malware's code revealed debug strings written in simplified Chinese, indicating it was likely developed in a Chinese-speaking environment. The malware evolved from an earlier, non-AI version named "VNCSpy," with initial samples uploaded to VirusTotal from Hong Kong before more advanced versions appeared from Argentina. - To prevent removal, PromptSpy abuses Accessibility Services to place invisible overlays on the screen that block user taps on buttons like "uninstall" or "force stop." The only effective way to remove it is by rebooting the device into Safe Mode, which disables third-party apps. - Unlike traditional Android malware that relies on hardcoded screen coordinates for automated taps, PromptSpy sends an XML dump of the current screen to the Gemini model. It then receives precise, step-by-step JSON instructions for taps and swipes to execute, allowing it to navigate device-specific menus to "lock" itself in the recent apps list. - While PromptSpy is a significant development, researchers note it has not yet been widely detected in the wild, suggesting it may currently be a proof-of-concept. However, its creation signals a trend where attackers are beginning to misuse AI to make malware more dynamic and capable of real-time decision-making.
