First Generative AI-Powered Android Malware Discovered
ESET researchers have discovered 'PromptSpy,' the first known Android malware that uses generative AI to execute its functions. The malware abuses Google's Gemini AI model through prompting to guide malicious UI manipulation on an infected device. This novel technique allows it to achieve persistence and capture sensitive data, such as lockscreen information.
- The malware's primary function is to deploy a Virtual Network Computing (VNC) module, which grants the attacker remote access to view the device's screen and perform actions in real-time. It communicates with a hardcoded command-and-control server using the VNC protocol, with traffic encrypted via a built-in AES key. - To achieve persistence, PromptSpy sends a natural-language prompt and an XML dump of the device's current screen to the Gemini AI model. Gemini analyzes the UI elements and returns JSON instructions for the specific taps and swipes needed to "lock" the malicious app in the recent apps list, preventing it from being easily closed. - This discovery follows a previous AI-related malware called "PromptLock," found by ESET in August 2025 and described as the first AI-driven ransomware. However, PromptLock was later revealed to be a research project conducted by academics at New York University to demonstrate the potential dangers of AI malware. - Beyond its AI-driven persistence, the malware uses Android's Accessibility Services to carry out other malicious actions, such as blocking uninstallation attempts with invisible overlays, recording screen activity, and taking screenshots. All AI-suggested actions, like taps and swipes, are also executed through these services. - Analysis of language localization clues and distribution vectors suggests the campaign is financially motivated and primarily targets users in Argentina. The malware impersonates the Morgan Chase bank, using the application name "MorganArg". - According to ESET researchers, PromptSpy has not yet been detected in their telemetry, which indicates the malware may currently be a proof of concept rather than a widespread threat. It is reportedly distributed through a dedicated website, not the official Google Play Store. - Due to its method of blocking uninstallation by overlaying invisible screen elements, the recommended removal method is to reboot the infected device into Safe Mode. This disables third-party apps, allowing the user to uninstall the malicious application normally.
