New Malware Uses Generative AI for Attacks
Security researchers at ESET have discovered the first known Android malware that uses generative AI to execute its attacks. Dubbed "PromptSpy," the threat abuses Google's Gemini AI model to guide malicious UI manipulation on an infected device. The malware can reportedly capture lockscreen data and block uninstallation attempts.
- PromptSpy's primary function is to deploy a Virtual Network Computing (VNC) module, which gives attackers remote access to view the screen and control the infected device. This access allows for the theft of lockscreen PINs, passwords, and pattern unlock data, as well as the ability to record screen activity. - The malware uses Google's Gemini AI to overcome UI fragmentation across different Android devices and versions. It sends an XML dump of the current screen to the AI, which then returns JSON-formatted instructions for the malware to execute, such as where to tap to keep the app pinned in the recent apps list. - Distribution of PromptSpy was traced to a phishing website impersonating the JPMorgan Chase bank in Argentina, suggesting a financially motivated campaign targeting users in that region. The malware, named "MorganArg," was not found on the official Google Play Store. - To prevent removal, PromptSpy abuses Android's Accessibility Services to place invisible overlays on top of "Uninstall" and "Force Stop" buttons, blocking user taps. The only effective way to remove the malware is to reboot the device into Safe Mode. - While PromptSpy is the first Android malware to use generative AI, ESET researchers previously discovered an AI-powered ransomware for desktops called PromptLock in August 2025. PromptLock used a local AI model to autonomously decide which files to encrypt or exfiltrate. - Security researchers note that while the AI component in PromptSpy is currently used for a minor function (persistence), it demonstrates how AI can make malware more dynamic and adaptable. This could significantly expand the potential pool of victims by allowing malware to navigate any device layout automatically. - Debug strings in the code were in simplified Chinese, and the code handled Chinese Accessibility event types, leading ESET to state with medium confidence that the developers are from a Chinese-speaking background. - The malware communicates with a hardcoded command-and-control server located at the IP address 54.67.2[.]84, sending and receiving data using the VNC protocol encrypted with AES.
