First Generative AI-Powered Malware Found

- The core innovation of PromptSpy is its use of generative AI to overcome Android UI fragmentation. By sending an XML dump of the screen to Google's Gemini, the malware receives dynamic, device-specific instructions for gestures needed to "lock" itself in the recent apps list, ensuring persistence across different device layouts and OS versions. - While the AI component is novel, its current role is limited to a single persistence task. The malware's primary payload is a Virtual Network Computing (VNC) module that gives attackers remote access to view the screen, record activity, capture lockscreen data, and block uninstallation attempts. - This is the second AI-assisted malware strain discovered by ESET. In August 2025, the same research group found "PromptLock," a proof-of-concept ransomware that used a local AI model to autonomously generate malicious scripts to identify and encrypt files. - The malware has not been detected on the official Google Play Store and is distributed through dedicated websites. Evidence, such as localization clues and branding impersonating Morgan Chase, suggests the campaign is financially motivated and primarily targets users in Argentina. - Researchers believe PromptSpy may be a proof of concept, as it has not yet appeared in ESET's wider telemetry from the wild. However, Google Play Protect is able to block known versions of the malware. - The use of AI in malware is an emerging trend that lowers the barrier for attackers by automating the creation of polymorphic code and more convincing phishing campaigns. On the defensive side, security professionals are using generative AI to detect anomalies, simulate attacks to find vulnerabilities, and automate incident response. - To remove PromptSpy, a user must reboot the device into Safe Mode. This is because the malware uses the Accessibility Service to create invisible overlays that block users from tapping buttons related to uninstallation or force-stopping the application.