First AI-Powered Android Malware Found
ESET researchers have discovered "PromptSpy," the first known Android malware to abuse generative AI in its execution. The malware uses prompts to an AI model, specifically Google's Gemini, to guide malicious user interface manipulation. This technique allows it to capture lockscreen data and achieve persistence on an infected device.
- The malware's primary goal is to install a Virtual Network Computing (VNC) module, giving attackers the ability to remotely view and control the infected device's screen. - This is the second AI-utilizing malware strain discovered by ESET Research; the first was "PromptLock," an AI-driven ransomware identified in August 2025. - Evidence such as language localization and distribution methods suggests the campaign is financially motivated and primarily targets banking users in Argentina. - PromptSpy has not yet been detected in ESET's telemetry from active devices, indicating the malware may still be a proof-of-concept rather than a widespread, active threat. - To work across different Android devices and OS versions, the malware sends an XML layout of the screen to the AI, which returns precise gesture instructions in JSON format to manipulate the user interface. - The malware's code contains debug strings in simplified Chinese, leading researchers to a medium-confidence conclusion that the developers are from a Chinese-speaking background. - Beyond its AI-powered persistence, PromptSpy uses accessibility services to create invisible overlays that block users from uninstalling the malicious application. - The discovery coincides with a broader increase in mobile threats, as security firm Kaspersky reported the volume of detected Android malware grew by nearly half in 2025.
