Android Malware Leverages Generative AI for Sophisticated Attacks: PromptSpy Breakthrough

Post Views: 1

Researchers Discover Android Malware Using AI for Persistence

Researchers have identified a new Android malware family, dubbed PromptSpy, which leverages generative AI to enhance its persistence on infected devices. This malware is the first known instance of Android malware utilizing AI in its execution flow, specifically harnessing Google’s Gemini model to adapt to different devices.

Discovery and Functionality

PromptSpy was discovered in two versions, with the first, VNCSpy, appearing on VirusTotal in January 2026. Four samples of a more advanced version were later uploaded to VirusTotal from Argentina. The malware’s primary function is to act as spyware, allowing threat actors to gain full remote access to devices with Accessibility permissions granted.

Persistence Technique

To achieve persistence, PromptSpy employs a novel technique. On some Android devices, users can “lock” or “pin” an app in the Recent Apps list, making it less likely to be terminated during memory cleanup. However, the method to lock or pin an app varies between manufacturers, making it challenging for malware to script the correct action on every device. PromptSpy overcomes this by sending a chat prompt to Google’s Gemini model, along with an XML dump of the current screen, including visible UI elements, text labels, class types, and screen coordinates.

Gemini responds with JSON-formatted instructions describing the action to take on the device to pin the app. The malware executes the action through Android’s Accessibility Service, retrieves the updated screen state, and sends it back to Gemini in a loop until the AI confirms that the app has been successfully locked in the recent apps list.

Primary Functionality

While the use of AI in PromptSpy is novel, its primary functionality is to act as spyware. The malware includes a built-in VNC module that allows threat actors to view and control the Android screen in real-time. PromptSpy can upload a list of installed apps, intercept lockscreen PINs or passwords, record the pattern unlock screen as a video, capture screenshots on demand, record screen activity and user gestures, and report the current foreground application and screen status.

Removal Obstruction

To make removal harder, PromptSpy overlays transparent, invisible rectangles over UI buttons that display strings like “stop,” “end,” “clear,” and “Uninstall.” When a user attempts to uninstall the app or turn off Accessibility permissions, they will instead tap the invisible button, which blocks removal. Victims must reboot into Android Safe Mode to disable third-party apps and uninstall the malware.

Conclusion

It is unclear whether PromptSpy is a proof-of-concept or a actively used malware, as ESET has not observed it in its telemetry. However, the distribution of this malware via a dedicated domain and fake bank website suggests that it may have been used in the wild. This development demonstrates how threat actors are using generative AI to modify malware behavior in real-time, creating more dynamic and challenging threats.

About Author

Vaibhav

See author's posts