First Android Malware Using Generative AI Discovered

- PromptSpy's primary innovation is its use of generative AI to overcome Android UI fragmentation. It sends an XML dump of the current screen to Google's Gemini, which then returns JSON-formatted instructions for the malware to execute taps and swipes, allowing it to achieve persistence by "locking" itself in the recent apps list on a wide variety of devices and OS versions. - While PromptSpy uses AI for persistence, its main payload is a Virtual Network Computing (VNC) module that gives attackers remote access to the device. This allows for a range of malicious activities, including capturing lockscreen data, recording screen activity, taking screenshots, and blocking uninstallation attempts with invisible overlays. - The malware was distributed via a dropper application named "MorganArg," impersonating the JPMorgan Chase bank, likely targeting users in Argentina. This dropper would request permission to install apps from unknown sources to deploy the PromptSpy payload. - This is not the first instance of AI being used in malware; ESET previously identified "PromptLock" ransomware in August 2025. Additionally, Google's Threat Intelligence Group reported on other AI-utilizing malware like FruitShell and PromptSteal in November 2025. - For the insurtech sector, this type of AI-driven malware poses a significant threat to API-centric backend systems that handle sensitive policyholder data. Compromised mobile devices could be used to exploit APIs for claims automation, underwriting, and policy management, leading to fraudulent claims, data breaches, and manipulation of risk assessment data. - The architecture of PromptSpy, which essentially uses an LLM as an agent to interpret a device's state and recommend actions, mirrors legitimate multi-agent system designs. This highlights a dual-use challenge where orchestration frameworks like LangChain or Microsoft's Agent Framework, designed for productive AI applications, could have their principles adapted for malicious ends, such as coordinating attacks across multiple compromised devices. - To defend against such threats, backend API platforms in the insurance industry must implement robust security measures beyond simple authentication. This includes employing device attestation to verify the integrity of the connecting mobile device, utilizing OAuth 2.0 for token-based access, and monitoring for anomalous API usage patterns that could indicate a compromised client. - Removal of PromptSpy is complicated because it uses Accessibility Services to create invisible overlays that block users from tapping "uninstall" or "force stop" buttons. The only effective way to remove the malware is to reboot the device into Safe Mode, which disables third-party apps, allowing for normal uninstallation.