First Android Malware Using Generative AI Discovered

- The malware's primary function is to deploy a Virtual Network Computing (VNC) module, giving attackers remote control to see the screen and perform actions on the compromised device. The generative AI component is a secondary but crucial feature for ensuring the malware's persistence. - To achieve persistence, PromptSpy sends an XML dump of the device's current screen to a hardcoded Gemini model and asks it to identify how to "pin" the malicious app in the recent apps list. The AI returns JSON instructions telling the malware where to tap, making it adaptable to various Android layouts and OS versions. - While this is the first instance of generative AI used in an *Android* threat, ESET previously discovered "PromptLock" in August 2025, which was the first known case of AI-driven ransomware. However, PromptLock was later revealed to be a research project by a team at New York University. - Samples of PromptSpy were first uploaded to VirusTotal in February 2026 from Argentina, and analysis of the code suggests development by Chinese speakers for financially motivated cybercrime. The malware was not found on the Google Play Store and likely spreads through phishing sites imitating brands like Chase Bank. - Beyond its AI-driven persistence, PromptSpy abuses Android's Accessibility Service to carry out its malicious activities. Its capabilities include intercepting lockscreen PINs, recording screen activity and user gestures, taking screenshots, and exfiltrating lists of installed applications. - To prevent removal, the malware overlays transparent UI elements on top of "Force Stop" or "Uninstall" buttons, effectively blocking user taps. The only way to remove it is to reboot the device into Safe Mode, where third-party apps are disabled. - Although a likely distribution domain was discovered, ESET researchers have not yet observed PromptSpy in their telemetry, suggesting the malware may still be a proof-of-concept rather than part of a widespread campaign.