PromptSpy: The First Android Malware Leveraging AI for Advanced Decision-Making
In a groundbreaking development in mobile cybersecurity, researchers have identified PromptSpy, the first known Android malware to integrate a generative AI model—specifically Google’s Gemini—into its operational framework. This discovery marks a significant evolution in the landscape of mobile threats, following the earlier identification of AI-powered ransomware, PromptLock, in August 2025.
Discovery and Evolution
ESET researcher Lukas Stefanko uncovered PromptSpy in February 2026. The malware’s lineage traces back to an earlier variant, internally referred to as VNCSpy. Initial samples of VNCSpy appeared on VirusTotal on January 13, 2026, uploaded from Hong Kong. By February 10, 2026, more sophisticated samples incorporating the Gemini AI component emerged from Argentina, leading ESET to classify the entire family as PromptSpy.
Distribution Mechanism
PromptSpy masquerades as a Chase Bank-themed Android application named MorganArg, likely an abbreviation for Morgan Argentina. It was distributed through the now-defunct domain `mgardownload[.]com`, which impersonated a login portal for JPMorgan Chase Bank N.A. Although ESET’s telemetry has not detected active infections, the existence of a dedicated distribution infrastructure indicates a clear intent for real-world deployment.
Indicators of Origin
Analysis of debug strings and code written in simplified Chinese, along with localized Chinese Accessibility event-type handlers, suggests with medium confidence that PromptSpy was developed in a Chinese-speaking environment.
Innovative Use of AI
Traditional Android malware often relies on hardcoded screen coordinates or fixed UI selectors to automate gestures—a method prone to failure across different device manufacturers, screen sizes, or Android OS versions. PromptSpy circumvents these limitations by sending Gemini a natural-language prompt alongside an XML dump of the device’s live UI. This dump exposes each element’s text, type, and precise screen bounds.
Gemini processes this information and returns JSON-formatted tap and swipe instructions. This enables PromptSpy to execute device-specific gestures, such as locking the malicious MorganArg app in the multitasking view with a padlock icon, preventing it from being swiped away or terminated by the system.
This interaction functions as a continuous feedback loop: PromptSpy submits updated UI context after each action, Gemini returns the next step, and the cycle concludes only when the AI confirms the app has been successfully locked. While the AI model and its hardcoded prompts are static and cannot be modified at runtime, the dynamic decision-making they facilitate allows PromptSpy to adapt to virtually any Android device or OS version. This adaptability significantly broadens the potential victim pool compared to script-based predecessors.
VNC Module and Capabilities
Beyond AI-assisted persistence, PromptSpy’s primary objective is to deploy a built-in Virtual Network Computing (VNC) module, granting operators full remote control over the victim’s device. It communicates with its hardcoded Command and Control (C&C) server over the VNC protocol using AES encryption.
Once Accessibility Services are enabled, the malware can:
– Intercept lockscreen PINs and pattern unlocks, capturing them as video recordings.
– Take on-demand screenshots.
– Log installed applications.
– Record screen activity for attacker-specified apps.
– Report the current foreground application and screen state.
Anti-Removal Mechanisms
PromptSpy further exploits Accessibility Services as an anti-removal mechanism. It overlays invisible transparent rectangles over buttons containing substrings such as stop, end, clear, and Uninstall, silently intercepting the victim’s taps. This tactic effectively prevents users from terminating or uninstalling the malicious app through standard methods.
Removal Procedure
The only effective method to remove PromptSpy is to reboot the device into Safe Mode and navigate to Settings → Apps → MorganArg to uninstall the application.
Security Measures and Recommendations
PromptSpy has never appeared on Google Play. ESET has shared its findings with Google through the App Defense Alliance, ensuring that Google Play Protect automatically safeguards Android users against known versions of this malware.
To protect against such sophisticated threats, users are advised to:
– Download applications exclusively from trusted sources, such as the Google Play Store.
– Regularly update their devices and applications to patch known vulnerabilities.
– Be cautious of granting extensive permissions to applications, especially those requesting Accessibility Services.
– Utilize reputable security software to detect and prevent malware infections.
Conclusion
The emergence of PromptSpy signifies a new era in mobile malware, where adversaries leverage AI to enhance the adaptability and effectiveness of their malicious software. This development underscores the necessity for continuous advancements in cybersecurity measures to counteract increasingly sophisticated threats.
