First Generative AI-Powered Android Malware Found

- The malware sends an XML dump of the current screen's UI elements, including text, type, and position, to Google's Gemini AI. Gemini then returns JSON instructions telling the malware where to tap or swipe to "lock" the app in the recent apps list, making it harder for users to close. - This AI-assisted UI navigation allows the malware to adapt to various Android devices, screen layouts, and OS versions, significantly expanding its potential targets compared to malware with hardcoded interaction scripts. - While the AI is used for persistence, PromptSpy's primary function is to deploy a Virtual Network Computing (VNC) module. This gives attackers remote access to view the infected device's screen and perform actions like tapping and typing as if they were holding the phone. - Beyond screen control, the malware abuses Android's Accessibility Services to carry out its actions, capture lockscreen PINs or passwords, record the screen to steal unlock patterns, and block uninstallation attempts by placing invisible overlays on buttons. - This is the second AI-powered malware discovered by ESET Research, following the AI-driven ransomware "PromptLock" found in August 2025. - Evidence suggests the campaign is financially motivated and primarily targets users in Argentina, with the malware impersonating the Morgan Chase bank under the app name "MorganArg". - ESET has not yet observed PromptSpy in the wild, suggesting it may be a proof-of-concept; however, Google has been informed and Android users with Google Play Services are automatically protected by Google Play Protect. - To remove the malware, a user must reboot the device into Safe Mode, which disables third-party apps and allows for normal uninstallation, bypassing the invisible overlays that block the process.