First AI-Powered Android Malware 'PromptSpy' Discovered

- Beyond its AI-driven persistence, PromptSpy's primary function is to deploy a Virtual Network Computing (VNC) module, which grants attackers full remote access to view and control an infected device's screen. - The malware feeds Gemini a natural language prompt and an XML dump of the current user interface; the AI then returns JSON-formatted instructions for the malware to execute, such as the precise coordinates for a tap or swipe needed to "pin" itself in the recent apps list. - To prevent removal, PromptSpy abuses Android's Accessibility Services to place invisible overlays on top of system buttons like "Uninstall" or "Force Stop," intercepting user taps on those controls. - ESET researchers believe PromptSpy is an advanced version of a previously unknown malware called VNCSpy, which first appeared on VirusTotal in January 2026. - Evidence suggests a financially motivated campaign targeting users in Argentina; distribution websites were found impersonating the JPMorgan Chase bank with names like "MorganArg". - This is the second AI-powered malware discovered by ESET, following the "PromptLock" ransomware identified in August 2025. - While not yet detected in ESET's telemetry, suggesting it may be a proof-of-concept, debug strings written in Simplified Chinese point to a potential developer origin. - Due to its method of blocking uninstallation, the only way for a user to remove PromptSpy is to reboot the device into Safe Mode, which prevents third-party apps from running.