PromptSpy: First Android malware to use generative AI in its execution flow

ESET researchers have discovered PromptSpy, the first known Android malware to abuse generative AI as part of its execution flow in order to achieve persistence. This marks the first time generative AI has been deployed in this way.

Because the attackers rely on prompting an AI model, specifically Google’s Gemini, to guide malicious UI manipulation, ESET has named this malware family PromptSpy. The malware can capture lockscreen data, block uninstallation attempts, gather device information, take screenshots, and record screen activity as video, among other capabilities.

This is the second AI-powered malware discovered by ESET Research, following PromptLock in August 2025, which they described as the first known case of AI-driven ransomware.

Based on language localization clues and the distribution vectors observed during analysis, the campaign appears to be financially motivated and primarily targets users in Argentina. However, PromptSpy has not yet been observed in ESET telemetry, suggesting it may currently be a proof of concept.

Although generative AI is used only in a relatively small portion of PromptSpy’s code, specifically the component responsible for persistence, it significantly increases the malware’s adaptability. Gemini is used to provide step-by-step instructions on how to make the malicious app “locked,” meaning pinned in the recent apps list. This feature is often represented by a padlock icon in the multitasking view of many Android launchers, and it prevents the app from being easily swiped away or terminated by the system. The AI model and prompt are predefined in the code and cannot be modified.

“Since Android malware often relies on UI-based navigation, leveraging generative AI enables threat actors to adapt to more or less any device, layout, or operation system version, which can greatly increase the pool of potential victims,” says ESET researcher Lukáš Štefanko, who discovered PromptSpy. “The main purpose of PromptSpy is to deploy a built-in VNC module, giving operators remote access to the victim’s device. This Android malware also abuses Accessibility Services to block uninstallation with invisible overlays, captures lockscreen data, and records screen activity as video. It communicates with its Command & Control server via AES encryption,” adds Štefanko.

PromptSpy is distributed through a dedicated website and has never been available on Google Play. As an App Defense Alliance partner, researchers nonetheless shared its findings with Google. Android users are automatically protected against known versions of this malware through Google Play Protect, which is enabled by default on Android devices with Google Play Services.

“Even though PromptSpy uses Gemini in just one of its features, it still demonstrates how implementing these tools can make malware more dynamic, giving threat actors ways to automate actions that would normally be more difficult with traditional scripting,” says Štefanko.

With the app named MorganArg and its icon seemingly inspired by Morgan Chase, the malware likely impersonates the Morgan Chase bank. MorganArg, which appears to be shorthand for “Morgan Argentina,” also shows up as the name of the cached website, further suggesting a region-specific targeting focus.

Because PromptSpy blocks uninstallation by overlaying invisible elements on the screen, the only way for a victim to remove it is to reboot the device into Safe Mode. In Safe Mode, third party apps are disabled and can be uninstalled normally. To enter Safe Mode, users should typically press and hold the power button, then long press Power off and confirm the Reboot to Safe Mode prompt, although the exact steps may vary by device and manufacturer. Once the phone restarts in Safe Mode, the user can navigate to Settings → Apps → MorganArg and uninstall it without interference.