Cybersecurity researchers say they’ve spotted the first Android malware strain that uses generative AI to improve performance once installed. But it may be only a proof of concept.
ESET calls it PromptSpy, malware whose primary goal is to deploy a VNC module that hands hackers remote control of infected devices.
The Slovak security shop’s experts said PromptSpy comes with capabilities to instruct Google’s Gemini chatbot to interpret parts of the device’s user interface using natural language prompts.
These prompts allow the malware to examine the user interface, which then informs the gestures it needs to execute on the device in order to keep the malicious app pinned to its recent apps list.
Lukas Stefanko, malware researcher at ESET, said the use of GenAI amounts to only a small portion of the malware’s toolkit, but allows it to adapt to different devices.
“The AI model and prompt are predefined in the code and cannot be changed,” he wrote. “Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims.”
Android malware usually relies on taps, coordinates, and UI selectors to execute tasks, but these have a tendency to break when running on different devices, which makes the use of Gemini a clever way to bypass this common issue.
PromptSpy submits a natural language prompt to Gemini, together with an XML dump of the device’s current screen, and the chatbot returns JSON instructions for what action to perform and where to perform it to keep the app pinned in the user’s recents list. This process repeats until Gemini tells PromptSpy that the app is in position.
ESET found versions of PromptSpy uploaded to VirusTotal in January, with the Gemini-assisted strains submitted from Argentina.
Analysis of the app’s code suggests it was developed by Chinese speakers to assist financially motivated cybercriminals.
Stefanko said PromptSpy has not yet appeared in any of ESET’s telemetry findings, suggesting it remains a proof of concept. However, the team found what appears to be a distribution domain, which could suggest it is being used to support real-world attacks.
The domains ESET investigated are now offline, but cached versions revealed they were likely trying to imitate a Chase Bank website.
PromptSpy is not on the Google Play Store, and given Google’s recent clampdown on sideloading apps, it’s unclear how the attackers planned to get the app loaded onto devices.
Once installed, the app can intercept lockscreen PINs or passwords, capture the pattern unlock screen as a video, record the screen and user’s gestures, and take screenshots in addition to the Gemini interactions.
It also works to prevent the user from uninstalling the app or force-quitting it by placing transparent boxes over screen elements.
The boxes are invisible to the user, who would press the button’s location on the screen, only for nothing to happen. The only way to uninstall it is to reboot the device in safe mode, where third-party apps are blocked, and then go through the usual uninstall routine.
“PromptSpy shows that Android malware is beginning to evolve in a sinister way,” said Stefanko. “By relying on generative AI to interpret on‑screen elements and decide how to interact with them, the malware can adapt to virtually any device, screen size, or UI layout it encounters.
“More broadly, this campaign shows how generative AI can make malware far more dynamic and capable of real‑time decision‑making. PromptSpy is an early example of generative AI‑powered Android malware, and it illustrates how quickly attackers are beginning to misuse AI tools to improve impact.”
The finding follows ESET’s work to unearth PromptLock, which it says is the first AI-powered ransomware payload.
As revealed in an interview with The Register, PromptLock’s code was uploaded by the developers to VirusTotal, only to check if it would get past modern defense mechanisms.
A team of engineers at New York University worked up the code as part of a research project they hoped would land them a speaking spot at security conferences. The binary stayed in VirusTotal for some time before ESET found it.
Bemused when the news reports circulated following ESET’s blog post outlining PromptLock, the NYU students contacted the Slovak security company to say that the malware was just a proof of concept.
Md Raz, one of the students and doctoral candidates behind PromptLock, “couldn’t believe it” when he realized that people were writing about his work.
After receiving Raz et al’s message, ESET updated a Xeet to note that its finding was a mere research project, one that wouldn’t function outside of a lab.
“This supports our belief that it was a proof of concept rather than fully operational malware deployed in the wild,” the company said. “Nonetheless, our findings remain valid – the discovered samples represent the first known case of AI-powered ransomware.” ®
