ESET researchers have unveiled PromptSpy, the first known Android malware to incorporate generative AI into its operational framework, representing a significant evolution in mobile cybersecurity threats. Discovered recently, this malware utilizes AI to manipulate the user interface (UI) contextually, enabling a more sophisticated user experience that complicates the detection and removal process.
PromptSpy employs Google’s Gemini AI to analyze the current screen layout and generate step-by-step instructions to maintain its presence in the recent apps list of Android devices. This feature effectively prevents users from easily closing or terminating the malicious application, showcasing an alarming shift in the capabilities of mobile malware.
This malware primarily targets users in Argentina, utilizing financial fraud schemes to exploit unsuspecting individuals. ESET has reported its findings to Google, who has confirmed that Android users with Google Play Services are shielded by Play Protect, which blocks known versions of the malware. Notably, PromptSpy has not appeared on Google Play, instead being distributed through phishing websites masquerading as legitimate banking platforms, specifically imitating Chase Bank.
PromptSpy marks the first instance of generative AI being employed for UI automation in malicious applications. The discovery follows the identification of PromptLock in August 2025, which was recognized as the first AI-powered ransomware, highlighting the rapid integration of generative AI into cybercrime methodologies.
The malware’s AI capabilities are specifically focused on its persistence mechanisms, with traditional techniques managing its core functionalities. This setup allows PromptSpy to adapt across various device manufacturers, operating system iterations, and UI variations that would typically disrupt traditional hardcoded automation scripts.
Traditional Android malware usually relies on static coordinates or UI element identifiers, which can differ across various custom operating systems like Samsung’s One UI, Xiaomi’s MIUI, and OnePlus’ OxygenOS. These discrepancies complicate automation, making it nearly impossible to maintain a single codebase for all device manufacturers. In contrast, PromptSpy sidesteps these challenges by sending natural language prompts to Gemini, along with XML dumps of the complete UI hierarchy that detail every element’s text, type, class name, and exact screen coordinates. Gemini then processes this data and issues JSON-formatted instructions for the malware to execute through Android’s Accessibility Services.
This feedback loop allows the malware to adaptively engage with the AI, ensuring successful execution of its tasks before moving on to the next stage. Such a system represents a marked departure from the conventional if-then logic often used in traditional malware design.
Functionally, the malware includes a VNC module that provides attackers with remote access to compromised devices. It communicates with its command-and-control server using AES-encrypted messages, allowing cybercriminals to issue commands, monitor activity, and capture sensitive user information.
The distribution method involved redirecting victims to a phishing site that imitated Chase Bank. Analysis of the malware revealed that it used branding closely resembling that of the legitimate bank, suggesting an intent to lure users effectively. The application itself is named “MorganArg,” which implies a targeted marketing strategy focused on Argentina.
Despite not having been widely observed in telemetry data, ESET notes that the existence of distribution domains and related phishing applications indicates limited deployment within Argentina. The researchers also uncovered another phishing trojan, signed with similar developer certificates, that could serve as an entry point for victims before they install PromptSpy.
PromptSpy takes advantage of the Accessibility Services permission to read screen content and automate interactions, making its task execution more insidious. It employs a structured interaction pattern with Gemini, initially providing detailed instructions for analyzing the screen’s XML data to generate operational commands in JSON format. Notably, these prompts warn against making assumptions about task completion, requiring visual confirmation before acknowledging success.
The malware also employs Accessibility Services to implement anti-removal features. When users try to uninstall or disable the application, PromptSpy overlays invisible rectangles over critical buttons, effectively intercepting interactions aimed at removing it. This sophisticated approach makes standard removal methods futile, requiring users to boot into Safe Mode for successful eradication.
The emergence of PromptSpy highlights the shifting landscape of mobile security threats, where generative AI is being weaponized for malicious purposes. With its ability to obscure its operations and adapt to various environments, this malware poses a significant challenge for cybersecurity professionals. As the integration of AI in cybercrime continues to evolve, the implications for mobile security and user privacy are profound.
See also
Anthropic’s Claims of AI-Driven Cyberattacks Raise Industry Skepticism
Anthropic Reports AI-Driven Cyberattack Linked to Chinese Espionage
Quantum Computing Threatens Current Cryptography, Experts Seek Solutions
Anthropic’s Claude AI exploited in significant cyber-espionage operation
AI Poisoning Attacks Surge 40%: Businesses Face Growing Cybersecurity Risks
