First GenAI-Powered Android Malware Discovered

- The malware leverages Gemini to achieve persistence by analyzing the device's user interface and providing step-by-step instructions on how to pin the malicious app to the recent apps list, preventing it from being easily closed. This makes the malware more adaptable across different Android devices, layouts, and OS versions. - PromptSpy's primary goal is to deploy a virtual network computing (VNC) module, which gives the attackers remote access to the infected device. This allows them to capture screenshots, record screen activity, and gather device information. - To prevent removal, the malware uses Android's Accessibility Services to create invisible overlays on the screen, which block users from tapping on uninstall or "force stop" buttons. The only way to remove PromptSpy is by rebooting the device into Safe Mode. - While this is the first known Android malware to use generative AI, ESET previously discovered an AI-driven ransomware called PromptLock in August 2025. However, PromptLock was later revealed to be a research project from New York University. - Other malware variants have been observed using generative AI for tasks like bypassing detection, generating malicious commands, or creating phishing content. Google's Threat Intelligence Group has been tracking these developments since late 2025. - The distribution of PromptSpy is currently limited and appears to be in a proof-of-concept stage, as it has not been widely detected in ESET's telemetry. The malware is distributed through a dedicated website, not the Google Play Store, and masquerades as a JPMorgan Chase banking app for users in Argentina called "MorganArg".