AI-Powered Android Malware 'PromptSpy' Discovered
ESET researchers have discovered PromptSpy, the first known Android malware to use generative AI in its execution flow. The malware reportedly abuses Google’s Gemini model to guide malicious user interface manipulations and achieve persistence on infected devices. This development is sparking concern over the use of AI as a tool for more sophisticated cyberattacks.
- The malware's primary function is to deploy a Virtual Network Computing (VNC) module, giving attackers remote access to view the device's screen and perform actions. Other capabilities include capturing lockscreen data, recording screen activity as video, taking screenshots, and blocking uninstallation attempts with invisible overlays. - To achieve persistence, PromptSpy sends a natural-language prompt and an XML dump of the current screen to Google's Gemini model. The AI analyzes the UI elements and returns JSON instructions telling the malware where to tap or swipe to "lock" the app in the recent apps list, preventing it from being easily closed. - The malware communicates with a hardcoded command-and-control server using AES encryption over the VNC protocol. Through this channel, it can receive a Gemini API key and exfiltrate data like the list of installed apps or captured lockscreen credentials. - Distribution was not through the Google Play Store but via a dedicated website impersonating a login portal for JPMorgan Chase Bank in Argentina. This, along with language localization clues, suggests a financially motivated campaign targeting users in that region. - ESET researchers noted that while no active infections have been detected through their telemetry, suggesting it might be a proof-of-concept, the existence of dedicated distribution infrastructure points to real-world deployment intent. - This is the second major AI-powered malware discovered by ESET, following the AI-driven ransomware "PromptLock" found in August 2025. - Evidence such as debug strings and code written in simplified Chinese suggests the malware was developed in a Chinese-speaking environment. Earlier, less advanced versions of the malware, dubbed VNCSpy, were uploaded to VirusTotal from Hong Kong in January 2026 before more advanced samples appeared from Argentina in February 2026. - Due to its method of blocking uninstallation, the only way for a user to remove PromptSpy is to reboot the device into Safe Mode, which disables third-party apps. Google Play Protect now automatically protects Android users from known versions of this malware.
