First AI-Powered Android Malware Discovered

- PromptSpy's primary function is to install a Virtual Network Computing (VNC) module, which gives attackers remote control over the infected device, allowing them to see the screen, perform gestures, and record activity. - The malware uses Google's Gemini AI specifically to achieve persistence by keeping itself pinned to the "recent apps" list, a process that varies across different Android devices and versions, making it difficult to automate with traditional hardcoded scripts. - To execute its persistence technique, PromptSpy sends Gemini an XML file of the device's current screen layout, and in return, receives JSON instructions detailing the precise taps and swipes needed to "lock" the app in place. - In addition to its AI-driven persistence, PromptSpy abuses Android's Accessibility Services to execute the commands suggested by Gemini, block uninstallation attempts with invisible overlays, and capture lockscreen data. - While PromptSpy is the first Android malware to use generative AI in its execution, ESET previously discovered an AI-driven ransomware named PromptLock in August 2025. - The malware is distributed through a dropper application masquerading as an app for JPMorgan Chase in Argentina, called "MorganArg," and has so far been uploaded to malware analysis services from Argentina and Hong Kong. - To remove PromptSpy, users must reboot their device into Safe Mode, which disables third-party apps and allows for normal uninstallation, as the malware otherwise actively blocks the removal process. - Security researchers note that while the use of generative AI is currently limited to a single function, it makes the malware significantly more adaptable to different devices, screen layouts, and operating system versions, expanding the potential pool of victims.