ESET researchers discover PromptSpy, the first Android malware using generative AI for persistence. This is the first instance of such AI being used in this way. The attackers use prompts directed at Google’s Gemini to manipulate the UI, leading to the name PromptSpy.
The malware can collect lockscreen data, prevent uninstallation, gather device details, take screenshots, record videos of screen activity, and more. This is the second AI-powered malware found by ESET Research, after PromptLock in August 2025, which was the first known AI-driven ransomware.
This campaign seems financially motivated and mainly targets users in Argentina, based on language clues and analysis findings. However, PromptSpy hasn’t been seen in ESET telemetry, suggesting it might be just a proof of concept.
Generative AI is only used in a small section of PromptSpy’s code, specifically for persistence, but it greatly enhances the malware’s adaptability. Gemini gives instructions on how to pin the malicious app in the recent apps list, making it harder to remove. The AI model and prompts are fixed in the code and cannot be modified.
“Since Android malware often relies on UI-based navigation, leveraging generative AI enables threat actors to adapt to more or less any device, layout, or operation system version, which can greatly increase the pool of potential victims,” says ESET researcher Lukáš Štefanko, who discovered PromptSpy.
“The main purpose of PromptSpy is to deploy a built-in VNC module, giving operators remote access to the victim’s device. This Android malware also abuses Accessibility Services to block uninstallation with invisible overlays, captures lockscreen data, and records screen activity as video. It communicates with its Command & Control server via AES encryption,” adds Štefanko.
PromptSpy is only accessible via its website, not on Google Play. ESET, a partner in the App Defense Alliance, provided their findings to Google. Android users are safeguarded from known versions of this malware by Google Play Protect, which is default-enabled on devices using Google Play Services.
“Even though PromptSpy uses Gemini in just one of its features, it still demonstrates how implementing these tools can make malware more dynamic, giving threat actors ways to automate actions that would normally be more difficult with traditional scripting,” says Štefanko.
With the app’s name being MorganArg and its icon seemingly inspired by Morgan Chase, the malware is likely impersonating the Morgan Chase bank. MorganArg, likely a shorthand for “Morgan Argentina”, also appears as the name of the cached website, suggesting a regional targeting focus.
PromptSpy prevents uninstallation by using invisible elements on the screen, so the victim must reboot their device into Safe Mode to remove it. To enter Safe Mode, users usually press and hold the power button, long press Power off, and confirm the prompt. This may vary by device. After restarting in Safe Mode, users can go to Settings → Apps → MorganArg and uninstall it easily.
For a detailed analysis of PromptSpy, read ESET Research’s latest blog post “PromptSpy ushers in the era of Android threats using GenAI” on WeLiveSecurity.com.
InfoSecBulletin Cybersecurity for mankind
