Researchers Discover First Android Malware Using GenAI
ESET researchers have discovered an Android malware family named PromptSpy, the first known threat to use generative AI in its execution. The malware abuses Google's Gemini model to guide malicious user interface manipulations on an infected device, allowing it to capture lockscreen data and achieve persistence.
- The malware, discovered by ESET researcher Lukáš Štefanko, uses Google's Gemini model to overcome Android UI fragmentation. It sends an XML dump of the device's screen to Gemini with a natural language prompt, and the AI returns JSON instructions for on-screen gestures to keep the app pinned in the "recent apps" list, thus ensuring its persistence. - PromptSpy's primary goal is to deploy a Virtual Network Computing (VNC) module, giving attackers remote control over the infected device. Its capabilities include intercepting lockscreen PINs, recording the unlock pattern as a video, capturing screenshots, and recording user gestures. - The use of AI is a small but crucial part of the malware; the AI model and prompts are hardcoded and cannot be changed by the command-and-control server. This technique allows the malware to adapt to various device layouts and OS versions, a common challenge for Android malware that typically relies on fixed coordinates or UI selectors. - Evidence suggests the malware was developed by Chinese speakers for financially motivated cybercriminals, with distribution domains found imitating a Chase Bank website targeting users in Argentina. The malware, an advanced version of a prior family called VNCSpy, is distributed via a dedicated website and has not been found on the Google Play Store. - To prevent its removal, PromptSpy abuses Android's Accessibility Services to place transparent overlays on screen elements, blocking uninstallation attempts. The only way to remove it is to reboot the device into safe mode, where third-party apps are disabled. - While a first for Android, this is the second AI-related malware ESET has found, following "PromptLock" in 2025. PromptLock, a ransomware proof-of-concept, was later revealed to be a research project created by students at New York University. - PromptSpy has not yet been detected in ESET's telemetry, suggesting it may still be a proof-of-concept rather than being used in active, widespread attacks. As an App Defense Alliance partner, ESET shared its findings with Google, and Google Play Protect now automatically protects against known versions of the malware.
