First AI-Powered Android Malware Discovered
ESET researchers have discovered "PromptSpy," the first known Android malware to use generative AI in its execution to achieve persistence on a device. The malware abuses Google's Gemini AI model to guide malicious user interface manipulation. The threat can reportedly capture lockscreen data and block attempts to uninstall it.
- The malware leverages Google's Gemini AI to interpret the device's user interface, allowing it to adapt its malicious actions to various Android versions, screen layouts, and device models. This makes it significantly more adaptable than traditional Android malware that relies on hardcoded screen coordinates, which can fail on different devices. - PromptSpy's primary objective is to grant attackers full remote control of the infected device through a built-in Virtual Network Computing (VNC) module. This allows threat actors to see the screen in real-time and perform actions as if they were holding the device. - To execute its commands without user input, PromptSpy abuses Android's Accessibility Services. It also uses these services to prevent its own removal by placing invisible overlays on top of system buttons like "Uninstall" or "Disable". - The malware is distributed through a dedicated website and has not been found on the Google Play Store. It masquerades as a JPMorgan Chase application for users in Argentina, with the dropper app named "MorganArg". - ESET researchers have identified debug strings in simplified Chinese within the code, suggesting the malware may have been developed in a Chinese-speaking environment. The malware is considered an advanced version of a previously known Android malware called VNCSpy. - Beyond its AI-driven persistence, PromptSpy can capture lockscreen PINs, passwords, and record pattern unlocks as video files. It also has the capability to take screenshots, record screen activity, and upload the list of installed apps to its command-and-control server. - This is the second AI-powered malware discovered by ESET, following the AI-driven ransomware "PromptLock" found in August 2025. While the use of generative AI in PromptSpy is currently limited to achieving persistence, it signals a new evolution in more dynamic and adaptable mobile threats. - To remove PromptSpy, users must reboot their device into Safe Mode, which disables third-party apps and allows for uninstallation.
