Security researchers at ESET have uncovered what they describe as the first known case of Android malware abusing generative AI to manipulate a device’s user interface in real time.
Dubbed PromptSpy, the newly identified malware family uses Google’s Gemini to analyze on-screen content and dynamically guide malicious actions. While machine learning has previously been used in Android threats (including a recent case discovered by Dr.Web involving ad fraud automation) this is the first documented instance of GenAI being embedded directly into malware execution flow.
According to the researchers, PromptSpy is the second AI-powered malware they have found, the first one being PromptLock in August last year, which was the first known instance of AI-powered ransomware.
Unlike traditional Android malware, which relies on hardcoded touches, screen coordinates, or UI selectors, PromptSpy uses GenAI to adapt to different devices, OS versions, and UI configurations.
Designed to Achieve Persistence
The AI component of the malware is specifically designed to achieve persistence, meaning the malicious app will remain in the recent apps list to prevent it from being easily removed by swiping it away or by the system.
To do this, the malware sends Gemini a natural-language prompt along with an XML dump of the current screen. The AI model examines all the visible UI elements, including the text, type, and location, and provides step-by-step JSON instructions to the malware on where and how to perform the gestures. The questions and answers are stored locally, enabling multi-step, context-aware interactions.
Although GenAI is used in only a relatively small portion of the code, researchers warn that it significantly increases adaptability. Because UI navigation on Android devices often varies between manufacturers, traditional scripted attacks can fail when layouts change. By contrast, AI-driven analysis allows the malware to dynamically interpret interface differences, expanding the potential victim pool.
Granting Remote Access
The primary purpose of PromptSpy is to deploy a built-in VNC module that grants attackers remote access to the infected device. Once active, operators can view the victim’s screen and perform actions remotely.
The malware also uses the Android Accessibility Service for the following purposes: blocking the uninstallation of the malware via invisible overlays, harvesting data from the lock screen, recording screen activity as video, and collecting device information. Communication with its command and control infrastructure is done via VNC protocol, which is encrypted using AES.
PromptSpy has not been observed in ESET’s telemetry yet, leading researchers to assume it is currently operating as a proof-of-concept. However, a possible distribution domain was identified, indicating a campaign targeting users in Argentina. Localization clues point to a financially motivated operation, while examined samples suggest the malware was developed in a Chinese-speaking environment.
The malware is spread through a dedicated website and has never been found on the Google Play store. As a member of the App Defense Alliance, ESET has informed Google of its findings. According to the company, Android users are protected from known variants of the malware PromptSpy by Google Play Protect, which is enabled by default on Google Play Services-run devices.
Integrating GenAI into Malware
According to researchers, the malware PromptSpy highlights an emerging trend. As GenAI tools become more widely available, bad actors are starting to explore ways to integrate these tools into their malware. Even a small amount of integration could make malware more robust and might limit the technical skills needed to automate complex UI attacks.
While PromptSpy’s AI functionality is currently confined to persistence mechanisms, its discovery could be a new chapter in mobile threat evolution, one where GenAI may increasingly be used to make malware more dynamic, adaptive, and harder to disrupt.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.