First Android Malware Using Generative AI Discovered

- The malware's primary function is to deploy a Virtual Network Computing (VNC) module, which gives attackers remote access to view the device's screen and perform actions. This allows for the capture of lockscreen data, video recording of the screen, and the blocking of uninstallation attempts. - PromptSpy overcomes variations in Android UIs by sending an XML dump of the current screen to Google's Gemini model. The AI then returns specific instructions on how to interact with the UI to "lock" the malicious app in the recent apps list, preventing it from being easily closed. - The malware heavily relies on abusing Android's Accessibility Services to execute the commands suggested by the AI, enabling it to perform taps and swipes without user interaction. This service is also used to prevent its own uninstallation by placing invisible overlays on the screen to intercept user taps on buttons like "Uninstall". - While PromptSpy is the first known Android malware to use generative AI for its execution, other malware has previously utilized machine learning. For instance, the Android.Phantom malware used TensorFlow models to analyze advertisement screenshots for ad fraud. ESET had also previously discovered an AI-driven ransomware named PromptLock in August 2025. - The discovery was made by ESET researcher Lukáš Štefanko. Analysis of the malware, including language localization clues, suggests it is part of a financially motivated campaign primarily targeting users in Argentina. - The malware has not yet been widely observed in the wild, leading researchers to believe it may currently be a proof of concept. It was not found on the Google Play Store and appears to be distributed via a dedicated website. - To remove PromptSpy, users must reboot their device into Safe Mode. This disables third-party apps, including the malware's ability to block the uninstallation process.