First Generative AI-Powered Android Malware Found
ESET researchers have discovered PromptSpy, the first known Android malware to use generative AI in its execution. The malware abuses Google's Gemini model to guide malicious UI manipulations, enabling it to capture lockscreen data and achieve persistence on infected devices.
- The malware sends an XML dump of the device's current screen to the Gemini model, which then returns JSON-formatted instructions for the malware to execute taps and swipes. This allows PromptSpy to navigate the user interface and "lock" itself in the recent apps list to maintain persistence, a method that is more adaptable across different Android devices and OS versions than traditional hardcoded scripts. - While the use of generative AI for persistence is novel, the malware's primary payload is a VNC (Virtual Network Computing) module. This gives attackers remote access to view the device's screen and perform actions as if they were physically holding it. - PromptSpy abuses Android's Accessibility Services not only to execute the AI-guided gestures but also to carry out other malicious actions without user input. These actions include capturing lockscreen PINs and passwords, recording the screen to steal unlock patterns, and blocking uninstallation by placing invisible overlays on buttons. - This malware represents a "living-off-the-land" (LOTL) attack style, as it leverages a legitimate, built-in feature of the operating system (the Gemini AI model) to conduct its malicious activities. This technique makes detection more difficult as it blends in with normal system operations. - ESET's discovery of PromptSpy follows their previous identification of "PromptLock" in August 2025, which was described as the first AI-driven ransomware. However, PromptLock was later revealed to be a research project. - The distribution of PromptSpy was traced to a dedicated website and it has not been found on the Google Play Store. Evidence suggests the campaign is financially motivated, potentially targeting users in Argentina with an application disguised to impersonate Chase Bank. - Although not seen in widespread attacks and possibly a proof-of-concept, PromptSpy's code contains elements suggesting it was developed in a Chinese-speaking environment. Google Play Protect now automatically shields users from known versions of this malware. - Prior to PromptSpy, other malware has utilized machine learning, such as Android.Phantom, which used TensorFlow models to analyze ad screenshots for ad fraud. PromptSpy is distinct in its use of a *generative* AI model for dynamic UI manipulation.
