An Android-specific malware targeting mobile device takeover appears to use generative AI (GenAI) services in its execution flows to maintain persistence on the victim’s smartphone, researchers at ESET have reported.
The raison d’être of the newly-discovered PromptSpy malware is to deploy and run a virtual network computing (VNC) module on the victim’s device, enabling attackers to capture lockscreen data, gather device information, take screenshots and record activity, and block uninstallation.
But to do so it must first establish persistence on the device, and it is here that GenAI comes into play, said the ESET team. They claimed that PromptSpy uses the onboard Google Gemini service to interpret onscreen elements and provide it with dynamic instructions on how to execute a specific gesture that will enable it to remain in the device’s recent app list. This, in theory, stops it being easily swiped away by the user or killed by the system.
ESET researcher Lukáš Štefanko said that while GenAI plays only a minor role in PromptSpy’s execution flow it could have a significant impact on the malware’s potential adaptability.
“Since Android malware often relies on UI-based navigation, leveraging generative AI enables threat actors to adapt to more or less any device, layout, or operation system version, which can greatly increase the pool of potential victims,” he said.
“Even though PromptSpy uses Gemini in just one of its features, it still demonstrates how implementing these tools can make malware more dynamic, giving threat actors ways to automate actions that would normally be more difficult with traditional scripting.”
Štefanko said that based on localisation clues and distribution vectors, PromptSpy seems to be run by a financially-motivated threat actor, exploits Morgan Chase branding, and may primarily target users in Argentina.
However, he also stressed that the malware has not yet popped up in ESET’s wider telemetry, which may suggest it is a proof of concept (PoC) at this point in time. Nor has it been observed on the Google Play store – it can only be downloaded by a dedicated website that its victims would need to be conned into visiting.
Computer Weekly understands that Štefanko’s discovery has been shared with Google via the App Defense Alliance programme, and Android users should already be automatically protected against known versions of it by the Google Play Protect service.
In the unlikely event that PromptSpy has somehow infected their device, victims can remove it by rebooting their phone into Safe Mode, which disables third-party applications and enables them to be uninstalled normally.
GenAI malwares. Hype or threat?
PromptSpy is not the first alleged malware exploiting GenAI to have been surfaced by the ESET team, which last year also discovered a ransomware – named PromptLock – which ran a locally accessible AI language model to autonomously plan, adapt and execute a ransomware attack.
PromptLock turned out to be the fruit of a research project conducted by a team of PhD and post-doctoral researchers at New York University’s (NYU’s) Tandon School of Engineering – specifically to illustrate the potential dangers of AI malwares.
Other supposed AI malwares found so far include FruitShell, which included GenAI promps to bypass detection and analysis, PromptSteal or Lamehug, a data miner linked to Russian state activity that queried a GenAI model to generate commands for execution via the Hugging Face API, and QuietVault, a credential stealer targeting GitHub and NPM tokens. Details on these malwares were published by the Google Threat Intelligence Group (GTIG) in November 2025.
However, their discovery has prompted widespread debate as to exactly how much of a threat such malwares really are, with some researchers arguing that the industry is overblowing their significance.
