First Android Malware Using Generative AI Found
ESET researchers have discovered "PromptSpy," the first known Android malware to use generative AI in its execution. The malware abuses Google's Gemini AI model to guide malicious user interface manipulation, capture lockscreen data, and achieve persistence on the device. This marks the first time generative AI has been deployed by attackers in this manner.
- The malware functions by sending an XML dump of the device's current screen to the Gemini AI, which then returns JSON-formatted instructions detailing the precise taps and gestures needed to "pin" the malicious app in the recent apps list, adapting to any device's unique user interface. - Beyond its use of AI for persistence, PromptSpy's main purpose is to function as spyware, deploying a Virtual Network Computing (VNC) module that gives attackers full remote access and real-time control over the compromised device. - PromptSpy is designed to prevent its own removal by placing invisible overlays on top of on-screen buttons, which intercept user taps intended for actions like "Uninstall" or "Force Stop". The only way for a user to remove the malware is to reboot the device into Safe Mode. - The malware, named "MorganArg," impersonates the JPMorgan Chase bank and appears to specifically target users in Argentina, based on language clues and distribution vectors. The first samples of this more advanced version were uploaded to VirusTotal from Argentina on February 10, 2026. - Discovered by ESET researcher Lukáš Štefanko, PromptSpy is considered an evolution of an earlier, non-AI malware strain named "VNCSpy" that first appeared on VirusTotal on January 13, 2026, from uploads in Hong Kong. - While machine learning has been used by Android malware for ad fraud, PromptSpy is the first known instance of a threat integrating *generative* AI directly into its execution flow to make real-time decisions. - In addition to its AI-driven persistence, the malware can execute a range of spyware functions, including intercepting lockscreen PINs, recording screen activity as video, and uploading a list of all installed apps to a command-and-control server. - As a partner in the App Defense Alliance, ESET shared its findings with Google. Android users are automatically protected from known versions of PromptSpy by Google Play Protect, which is enabled by default on devices with Google Play Services.
