ESET Discovers First Android Malware to Use GenAI

- PromptSpy utilizes Google's Gemini AI not for its core malicious functions, but for a crucial persistence mechanism; it sends an XML dump of the current screen to the AI, which then returns JSON instructions on how to interact with the UI to pin the malware in the recent apps list, making it resistant to being closed. - The malware's primary payload is a Virtual Network Computing (VNC) module that grants attackers remote control over the device, allowing them to view the screen, perform actions, capture lockscreen data, and record video. Communication with its command-and-control server is conducted via the VNC protocol, secured with AES encryption. - This malware represents an architectural shift from hard-coded instructions to dynamic, AI-guided UI manipulation, enabling it to adapt to various Android devices, screen layouts, and OS versions, thereby expanding its potential victim pool. The AI model and prompt, however, are predefined in the code and cannot be altered remotely. - For the insurtech space, this type of adaptive malware poses a significant threat to claims automation and underwriting processes that are increasingly reliant on mobile inputs and AI-driven data analysis. A compromised device could be used to inject fraudulent documents or manipulate data submitted through an insurer's mobile API, potentially bypassing traditional fraud detection models. - Defending against such threats requires a multi-agent system (MAS) approach to security, where specialized AI agents collaborate to detect anomalies across different layers of the application and infrastructure stack. This architecture mirrors a defensive version of the malware's own adaptive capabilities, allowing for more robust and context-aware threat detection than single-model systems. - From a backend and API architecture perspective, securing systems against such threats involves implementing a zero-trust model where every API call is authenticated and authorized, even from internal systems. Best practices include using short-lived tokens, applying the principle of least privilege to AI agents, and implementing data loss prevention (DLP) rules at the API gateway to scan for and block sensitive data exfiltration. - The discovery of PromptSpy follows a previous AI-powered ransomware called 'PromptLock' found in August 2025, indicating a growing trend of weaponizing generative AI in malware. While PromptSpy appears to be in a proof-of-concept stage with initial targeting in Argentina, its evolution from an earlier variant named VNCSpy suggests ongoing development by financially motivated actors. - To remove PromptSpy, users must reboot their device into Safe Mode, as the malware uses its access to Android's Accessibility Services to create invisible overlays that block uninstallation attempts in the standard operating mode.