- Google’s Gemini is used to interpret on-screen elements on a compromised device and provide PromptSpy with dynamic instructions on how to perform certain gestures to remain in the recent apps list.
- The primary (non-GenAI-assisted) purpose of PromptSpy is to deploy a virtual network computing (VNC) module on a victim’s device, allowing an attacker to view the screen and perform actions remotely.
- PromptSpy can capture lock screen data, block uninstalls, collect device information, take screenshots, record screen activity as videos, and more.
Dubai, United Arab Emirates: ESET researchers have discovered PromptSpy, the first known Android malware that exploits generated AI in its execution flow to achieve persistence. This is the first time generative AI has been deployed in this way. ESET named this family PromptSpy because attackers rely on prompts from AI models (specifically Google’s Gemini) to guide malicious UI interactions. The malware can capture lock screen data, block uninstall attempts, collect device information, take screenshots, record screen activities as videos, and more. This is the second AI-powered malware discovered by ESET Research, following PromptLock in August 2025, the first known case of AI-powered ransomware.
Based on language localization cues and distribution vectors observed during analysis, this campaign appears to be financially motivated and primarily targets users in Argentina. However, PromptSpy has not yet been observed with ESET telemetry, so it may be a proof of concept.
Although generative AI is only implemented in a relatively small portion of PromptSpy’s code (the part that enables persistence), it still has a significant impact on the malware’s adaptability. Specifically, Gemini is used to provide PromptSpy with step-by-step instructions on how to “lock,” or pin, a malicious app to the recent apps list (represented by a padlock icon in the multitasking view of many Android launchers), thereby preventing the app from being easily swiped or killed by the system. AI models and prompts are predefined in code and cannot be changed.
“Since Android malware often relies on UI-based navigation, leveraging generative AI could significantly increase the pool of potential victims by allowing threat actors to adapt to more or less any device, layout, and operating system version,” said ESET researcher Lukasz Stefanko, who discovered PromptSpy. “The main purpose of PromptSpy is to deploy a built-in VNC module and allow operators to remotely access the victim’s device. This Android malware also exploits accessibility services to block uninstallation with an invisible overlay, capture lock screen data, and record screen activity as a video. It communicates with command and control servers via AES encryption,” Stefanko added.
PromptSpy is distributed by a dedicated website and was not available on Google Play. Still, ESET shared its findings with Google as an App Defense Alliance partner. Android users are automatically protected from known versions of this malware by Google Play Protect. Google Play Protect is enabled by default on Android devices with Google Play Services.
“Although PromptSpy only uses Gemini for one of its features, it shows that implementing these tools can make malware more dynamic and provide threat actors with a way to automate actions that are typically more difficult to perform with traditional scripts,” Stefanko said.
The malware may be impersonating a Morgan Chase bank, as the app’s name is MorganArg and its icon appears to be inspired by Morgan Chase. MorganArg, presumably an abbreviation for “Morgan Argentina,” also appears as the name of the cached website, suggesting regional targeting.
PromptSpy overlays an invisible element on the screen to block uninstallation, so the only way for victims to remove it is to restart the device in safe mode. Safe mode disables third-party apps and allows you to uninstall them as usual. To enter Safe Mode, you typically need to press and hold the power button, press and hold Power Off, and then confirm the prompt to restart in Safe Mode (though the exact method may vary by device and manufacturer). Once the phone restarts in safe mode, the user will be able to[設定]→[アプリ]→[MorganArg]You can go to and uninstall it without any interference.
For a more in-depth analysis of PromptSpy, check out the latest ESET Research blog post “PromptSpy usher in the era of Android threats with GenAI” on WeLiveSecurity.com. To get the latest news from ESET Research, follow ESET Research on Twitter (now X), BlueSky, and Mastodon.
About ESET
ESET® provides cutting-edge cybersecurity to proactively prevent attacks. ESET combines the power of AI with human expertise to stay ahead of new and known global cyber threats, protecting businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multi-factor authentication. 24/7 real-time protection and strong local support keep your users safe and your business running without interruption. The ever-evolving digital environment requires a progressive approach to security. ESET is committed to world-class research and powerful threat intelligence, supported by our Research and Development Center and a strong global partner network. For more information, visit ESET Middle East or follow us on LinkedIn, Facebook and X.
media contact
Sanjeev
Vistar Communications
P.O. Box 127631
dubai, united arab emirates
Email: sanjeev@vistarmea.com
