First Android Malware Using Generative AI Discovered
Cybersecurity firm ESET has discovered PromptSpy, the first known Android malware that abuses a generative AI model in its attack sequence. The malware uses prompts to Google's Gemini AI to guide malicious manipulation of the user interface, allowing it to capture lockscreen data and achieve persistence. This marks a novel use of generative AI by threat actors.
- By sending a natural-language prompt and an XML file of the device's user interface to Gemini, PromptSpy receives device-specific instructions on how to perform gestures that "lock" the malicious app in the recent apps list, making it resistant to termination. This allows the malware to adapt to various device models, layouts, and OS versions, significantly expanding its potential victim pool. - The malware's primary function is to install a Virtual Network Computing (VNC) module, giving attackers remote control to capture lockscreen PINs, record screen activity as video, and take screenshots. It also abuses Android's Accessibility Services to block uninstallation attempts by placing invisible overlays on "uninstall" and "force stop" buttons. - This is the second AI-related malware discovery from ESET, following the "PromptLock" ransomware in August 2025, which was later revealed to be a research project. Other recently identified AI-abusing threats include FruitShell, PromptSteal/Lamehug (linked to Russian state activity), and QuietVault. - Samples of PromptSpy were first uploaded to VirusTotal from Hong Kong on January 13, 2026, with more advanced versions that included the Gemini component uploaded from Argentina on February 10, 2026. The malware, named "MorganArg," impersonated the JPMorgan Chase Argentina brand and was distributed via a now-offline website. - Debug strings and code written in simplified Chinese suggest the malware was developed in a Chinese-speaking environment. However, ESET has not yet observed PromptSpy in its own telemetry, indicating it may currently be a proof of concept. - Google's Threat Intelligence Group (GTIG) noted in a February 2026 report that while threat actors are increasingly using LLMs for tasks like reconnaissance and generating phishing content, they struggle to develop custom models and instead rely on mature APIs like Gemini. - The Open Web Application Security Project (OWASP) has released a "Top 10 for LLM Applications" to frame the evolving threat landscape, which includes risks like prompt injection, sensitive information disclosure, and training data poisoning.
