First Android Malware Using Generative AI Discovered
ESET researchers have discovered PromptSpy, the first known Android malware to abuse a generative AI model in its execution flow. The malware uses prompts to Google's Gemini AI to guide malicious UI manipulation, enabling it to achieve persistence on a device. The threat can capture lockscreen data and block uninstallation, representing a new category of AI-driven mobile security threats.
- The malware, discovered by ESET researcher Lukáš Štefanko, uses Google's Gemini AI to overcome Android UI fragmentation. It sends a natural-language prompt and an XML dump of the current screen to Gemini, which then returns JSON-formatted instructions for the malware to execute gestures like taps or swipes to "lock" itself in the recent apps list, making it resistant to termination. - While the AI-driven persistence is novel, PromptSpy's primary function is traditional spyware; it deploys a Virtual Network Computing (VNC) module that gives attackers remote access and control over the infected device. Its capabilities include capturing lockscreen PINs, recording screen activity, taking screenshots, and blocking uninstallation by placing invisible overlays on UI buttons. - This is the second AI-powered malware discovered by ESET, following the AI-driven ransomware "PromptLock" in August 2025. While machine learning models have been seen in Android malware before for tasks like ad fraud, PromptSpy is the first known instance of a generative AI model being used directly in the malware's execution flow for UI manipulation. - Evidence suggests the malware campaign is financially motivated and primarily targets users in Argentina, with distribution through phishing websites impersonating the JPMorgan Chase bank in Argentina. The app name, "MorganArg," is likely a shorthand for "Morgan Argentina." - The malware has not been detected in ESET's telemetry, leading to speculation that it may currently be a proof-of-concept. However, samples were uploaded to VirusTotal from Hong Kong and Argentina in January and February 2026, and debug strings in simplified Chinese suggest it was developed in a Chinese-speaking environment. - The use of generative AI for UI navigation allows the malware to be more adaptable across different devices, screen layouts, and OS versions, which would typically break malware reliant on hardcoded coordinates or UI selectors. This represents a significant step in making malware more dynamic and resilient.
