The cybersecurity landscape has reached a significant, albeit dark, milestone. Researchers at ESET recently uncovered PromptSpy, the first documented instance of Android malware that integrates Generative AI—specifically Google’s Gemini—directly into its execution flow.
While threat actors have long used AI to draft phishing emails or generate code, PromptSpy represents a shift toward Agentic Malware: software that uses Large Language Models (LLMs) to make real-time, autonomous decisions on a victim's device.
1. How PromptSpy Abuses Google Gemini
Most Android malware relies on "hardcoded" instructions. For example, if a hacker wants to click a "Confirm" button, they must program the exact screen coordinates. If the victim uses a different phone model or OS version, those coordinates change, and the malware fails.
PromptSpy solves this "brittleness" by using Gemini as an intelligent navigator:
The XML Handshake: The malware captures an XML dump of the victim's current screen—a map containing every button, text label, and UI element.
The Natural Language Prompt: It sends this UI map to Gemini with a prompt asking how to achieve a specific goal (e.g., "Find the icon to 'lock' this app in the Recent Apps list").
Dynamic Execution: Gemini processes the UI and returns a JSON response with the exact coordinates and action (tap, swipe, or long-press) required for that specific device.
Recursive Logic: The malware saves previous responses, allowing Gemini to understand "context" and perform multi-step interactions until the goal is achieved.
2. The Primary Objective: Persistence and Remote Control
The AI component is currently used for persistence—ensuring the malware cannot be easily closed or deleted. Once PromptSpy "locks" itself in the Recent Apps list, it proceeds with its primary malicious functions:
VNC Module Deployment: It installs a Virtual Network Computing (VNC) module, giving attackers full remote-control access to the device.
Information Theft: The malware captures lock screen PINs, takes screenshots, records screen activity as video, and exfiltrates contact lists.
Anti-Uninstallation: It uses Android’s Accessibility Services to draw "invisible overlays" over the 'Uninstall' and 'Force Stop' buttons. When a user tries to delete the app, they are actually clicking on a transparent rectangle that does nothing.
3. Targeting and Distribution
Evidence suggests the campaign is financially motivated and primarily targets users in Argentina.
The Lure: The malware is distributed via a phishing site (m-mgarg[.]com) that impersonates JPMorgan Chase.
The Dropper: It arrives as an APK named "MorganArg". It has never been available on the official Google Play Store, relying instead on "sideloading."
Origins: Debug strings in Simplified Chinese suggest the malware was developed in a Chinese-speaking environment.
4. Why This Matters: The Future of "Agentic" Threats
PromptSpy is a proof-of-concept for a new generation of Adaptive Malware. By offloading UI interpretation to an LLM, attackers no longer need to update their code for every new Samsung, Pixel, or Xiaomi update. The AI acts as a "Universal Remote," making the malware compatible with almost any Android device on the planet.
5. How to Stay Safe
Because PromptSpy uses invisible overlays to block uninstallation, traditional methods often fail. If you suspect an infection:
-
Reboot into Safe Mode: This disables all third-party apps, allowing you to go to Settings > Apps and remove "MorganArg" without interference.
-
Disable Sideloading: Avoid installing apps from Chrome or third-party links.
-
Audit Accessibility Permissions: Be extremely wary of apps (especially banking or utility apps) that request "Accessibility Services" permissions, as this is the primary "key" PromptSpy uses to control your screen.