AI is helping people write code, make music, and create movies, but it’s also being actively used for nefarious ends.
Researchers at cybersecurity firm ESET have discovered what they’re calling PromptSpy, the first known Android malware to weaponize generative AI as part of its attack chain. While machine learning has previously been used in malicious software — most recently in Android.Phantom, which used TensorFlow models to commit ad fraud — PromptSpy marks the first time a threat actor has deployed a large language model to guide malicious behavior on a compromised device. It is the second AI-powered malware ESET has discovered, following PromptLock in August 2025, which was the first known AI-driven ransomware.
The malware uses Google’s Gemini AI to help it stay alive on infected devices. Rather than relying on hardcoded screen coordinates or fixed scripts — methods that frequently break across different Android versions, manufacturers, and device sizes — PromptSpy sends Gemini a natural-language prompt alongside an XML dump of the current device screen, giving the AI a detailed picture of every UI element present. Gemini responds with JSON-formatted instructions telling the malware exactly where to tap or swipe in order to “lock” the malicious app in the device’s recent apps list, preventing the user or the system from easily closing or killing it. The loop continues, with PromptSpy feeding Gemini updated screen states, until Gemini confirms the app has been successfully locked in place.
“By handing the decision-making over to Gemini,” ESET researchers wrote, “the malware can recognize the correct UI element and perform the appropriate gesture, keeping the malware alive even if the user tries to close it.”
Beyond its AI-assisted persistence mechanism, PromptSpy’s core capability is considerably more dangerous. Once it establishes a foothold, the malware deploys a built-in VNC (Virtual Network Computing) module that gives remote operators a live view of the victim’s screen and full control of the device — taps, swipes, text input, gestures — as if they were physically holding it. The malware communicates with its command-and-control server via the VNC protocol using AES encryption, and can intercept lockscreen PINs and passwords, record the screen and user gestures for specified apps, capture screenshots on demand, and report which apps are running in the foreground.
Removal is also deliberately difficult. PromptSpy abuses Android’s Accessibility Service to overlay invisible transparent rectangles over key buttons — anything containing the words “stop,” “end,” “clear,” or “uninstall” — intercepting user interactions and making it effectively impossible to remove the app through normal means. The only reliable removal method, according to ESET, is rebooting the device into Safe Mode, navigating to Settings, and uninstalling the app from there while third-party apps are disabled.
The campaign appears to be financially motivated and primarily targets users in Argentina, with the malware disguised as a fake Chase Bank app called “MorganArg” — likely shorthand for “Morgan Argentina.” The dropper was distributed through a dedicated website that impersonated Chase Bank’s interface, displayed in Spanish. ESET researchers also found a companion phishing app signed with the same developer certificate as the PromptSpy dropper, reinforcing their belief that the two were built by the same threat actor and likely used in sequence to lure victims.
Interestingly, debug strings written in simplified Chinese and code handling Chinese-language accessibility event types were found embedded in PromptSpy, leading ESET to conclude with medium confidence that the malware was developed in a Chinese-speaking environment — even as its targets appear to be in South America.
ESET, as an App Defense Alliance partner, has shared its findings with Google. Android users are currently protected against known versions of the malware through Google Play Protect, which is enabled by default on devices running Google Play Services. PromptSpy was never available on the Google Play Store.
The discovery is a meaningful inflection point for mobile security. Until now, Android malware’s reliance on static, hardcoded UI interactions made it brittle and easy to break with OS updates or device-specific UI differences. By delegating screen interpretation and decision-making to a large language model, attackers have found a way to make their malware dramatically more adaptable — capable of operating across virtually any device, layout, or Android version it encounters. There have been other cases of AI-enabled cyber threats too — Anthropic had earlier said that it it had discovered a cyber espionage attack against 30 global organizations.
Tech companies, predictably, are already using AI to solve the problem. Last year, Google had said that its AI agent ‘Big Sleep’ had helped foiled a cybersecurity exploit. And with AI becoming ever-more sophisticated, security researchers will have to keep an eye out for this new threat vector as they work to keep users’ devices safe.