Security researchers have uncovered the first Android malware that weaponizes generative AI to maintain persistence on infected devices, marking a dangerous evolution in mobile threats.
ESET researchers discovered PromptSpy earlier this month, an Android Trojan that uses Google's Gemini AI model to analyze device screens and generate step-by-step instructions for locking itself into recent apps lists.
The malware sends natural-language prompts along with XML screen data to Gemini, receiving dynamic guidance for dealing with different Android interfaces across various manufacturers and OS versions.
While generative AI handles only the persistence mechanism, PromptSpy's primary payload delivers full remote control through a Virtual Network Computing module. Once installed, attackers can view screens, perform actions remotely, capture lockscreen data, block uninstallation attempts, gather device information, take screenshots, and record screen activity as video.
The malware communicates with command-and-control servers using AES encryption and abuses Android Accessibility Services to prevent removal with invisible overlays.
Victims must reboot into Safe Mode to uninstall the malicious app named MorganArg, which appears designed to impersonate JPMorgan Chase Bank with Argentina-specific targeting.
Distribution occurred through a dedicated website rather than Google Play Store, with ESET sharing findings through its App Defense Alliance partnership. Google Play Protect automatically blocks known versions on devices with Google Play Services enabled.
"This campaign appears to be financially motivated,"
ESET researcher Lukáš Štefanko said in the company's announcement. "Since Android malware often relies on UI-based navigation, leveraging generative AI enables threat actors to adapt to more or less any device, layout, or operation system version, which can greatly increase the pool of potential victims."
PromptSpy represents ESET's second discovery of AI-powered malware following PromptLock in August 2025, which was identified as the first known case of AI-driven ransomware.
The security firm noted that while PromptSpy hasn't appeared in widespread campaigns yet, it serves as proof-of-concept for how attackers can misuse commercial AI tools.
The malware's adaptability stems from replacing traditional hardcoded coordinates with AI-generated navigation instructions that work across different interface variations. This approach overcomes limitations that typically cause malware to fail with minor UI changes between Android versions or manufacturer skins.
ESET's analysis suggests regional targeting focused on Argentina based on language clues and distribution vectors, though samples indicate development in a Chinese-speaking environment. The same threat actor is behind both VNCSpy and PromptSpy, according to ESET analysis.
