Android Malware 'PromptSpy' Abuses Generative AI

- The malware leverages Google's Gemini to achieve persistence by generating step-by-step instructions to "lock" the malicious app in the recent apps list, preventing it from being easily closed. It does this by sending an XML dump of the current screen to the AI, which then returns JSON instructions for the malware to perform taps and other UI interactions. - While the use of generative AI for persistence is novel, the malware's other malicious capabilities are more traditional. These include capturing lockscreen data, recording screen activity, taking screenshots, and using a VNC module to give attackers remote access to the device. - To prevent removal, PromptSpy abuses Android's Accessibility Services to create invisible overlays on the screen that block uninstallation attempts. The only way for a user to remove the malware is by rebooting the device into Safe Mode. - This is the second AI-related malware found by ESET Research, following their discovery of "PromptLock," an AI-driven ransomware, in August 2025. - The campaign appears to be financially motivated and specifically targets users in Argentina, with the malicious app impersonating the Morgan Chase bank under the name "MorganArg". - Currently, PromptSpy has not been detected in the wild by ESET's telemetry, which suggests it may only be a proof-of-concept at this stage. - Google has noted other instances of malware abusing its AI, such as the "HONESTCUE" framework, which uses the Gemini API to generate and execute second-stage malware code in memory. - Broader misuse of Gemini by state-backed threat actors from China, Iran, North Korea, and Russia has been observed for tasks like reconnaissance, generating phishing lures, and accelerating tool development.