Android Malware Leverages AI for First Time, Raising Concerns of Sophisticated Attacks
In a significant escalation of mobile cybersecurity threats, researchers have identified the first known instance of Android malware utilizing generative artificial intelligence (AI) to enhance its capabilities. Dubbed “PromptSpy” by security firm ESET, the malware employs Google’s Gemini AI model to navigate the user interface of infected devices, ensuring its persistence even as users attempt to remove it. This development marks a concerning shift in the tactics employed by cybercriminals, potentially paving the way for more adaptable and evasive malware in the future. The discovery, reported on February 19, 2026, highlights a growing trend of integrating AI into malicious software, following the emergence of AI-driven ransomware like PromptLock in August 2025.
PromptSpy’s innovative approach centers around its ability to dynamically adapt to different Android devices and operating system versions. Traditional malware often struggles with variations in screen sizes and user interface layouts. However, by leveraging Gemini, PromptSpy can analyze the current screen and receive step-by-step instructions on how to remain pinned in the recent apps list, effectively preventing users from easily closing or uninstalling the malicious application. This capability significantly expands the potential victim pool, as the malware is less reliant on specific device configurations. The malware’s primary function, beyond persistence, is to deploy a Virtual Network Computing (VNC) module, granting attackers remote access to the compromised device, including the ability to view the screen, control applications, and steal sensitive data.
How PromptSpy Works: AI-Powered Persistence
The core innovation of PromptSpy lies in its use of Gemini to interpret on-screen elements and execute specific gestures. The malware doesn’t simply rely on pre-programmed instructions; instead, it prompts the AI model with a description of the current screen and asks for guidance on how to achieve its objective – typically, maintaining its own persistence. According to ESET’s research, the AI model responds with precise coordinates or instructions that the malware then executes. This interaction allows PromptSpy to overcome the fragmentation of the Android ecosystem, where diverse manufacturer interfaces and OS versions previously posed challenges for malware developers. The AI component, while relatively tiny in terms of code size, is crucial for the malware’s adaptability and effectiveness.
Researchers at ESET discovered that PromptSpy targets users primarily in Argentina, with evidence suggesting a hacker based in China developed the malware’s code. The distribution vector involved phishing sites impersonating JPMorgan Chase Argentina, using app names like “MorganArg” and icons inspired by the Chase Bank branding. While the domains used for distribution, m-mgarg[.]com and mgardownload[.]com, were found offline at the time of discovery, the campaign demonstrates a financially motivated attack with regional targeting. However, the underlying technology used by PromptSpy is readily adaptable for global attacks, raising concerns about its potential spread.
Beyond Persistence: Remote Access and Data Theft
Once successfully installed, PromptSpy grants attackers comprehensive control over the infected device through its integrated VNC module. This allows them to remotely view the screen, operate applications, and exfiltrate sensitive information, including contact lists, device details, and potentially banking credentials. The malware is also capable of capturing lock screen data, blocking uninstallation attempts, taking screenshots, and recording screen activity as video, providing attackers with a wealth of information about the user’s activities. The VNC module effectively turns the compromised device into a remotely controlled spy tool.
The Broader Implications: A New Era of AI-Powered Threats
The emergence of PromptSpy signals a significant turning point in the landscape of mobile cybersecurity. While AI has been used in malware development previously – for tasks like generating phishing emails and obfuscating code – PromptSpy represents the first known instance of generative AI being used for context-aware user interface manipulation. This “runtime AI” approach, as described by ESET, allows the malware to actively interact with the device and adapt to changing conditions, making it far more resilient than traditional malware. This is a departure from previous AI-driven malware like PromptLock, which primarily used AI for code generation and obfuscation, not for real-time interaction with the user interface.
Security experts are concerned that this technique could be widely adopted, particularly by banking Trojans. If these malicious actors can reliably interpret the interfaces of various banking applications using AI, they could automate fraud across multiple banks without the need for custom scripts for each app. The potential for large-scale, automated financial fraud is a significant threat. The use of commercial AI APIs, like Google’s Gemini, by cybercriminals also presents a dilemma for technology providers, who must balance the benefits of AI innovation with the need to prevent its misuse.
The Keenadu Firmware Backdoor: A Parallel Threat
The discovery of PromptSpy coincided with another significant security finding: the identification of the Keenadu backdoor, discovered by Kaspersky on February 18, 2026. Kaspersky’s report details how Keenadu was embedded directly into the firmware of Android tablets, potentially during the supply chain. This backdoor activates based on language and time zone settings, specifically targeting devices in China while also impacting users in Russia, Germany, and Japan. The simultaneous discovery of PromptSpy and Keenadu underscores a concerning trend: attackers are becoming increasingly sophisticated, targeting both the software and hardware layers of mobile devices.
Challenges for Tech Giants and Financial Institutions
The use of commercial AI APIs by malicious actors presents a complex challenge for technology companies like Google. Security filters are designed to prevent AI models from generating malicious code, but PromptSpy circumvents these safeguards by posing seemingly harmless requests, such as “How do I pin an app?” This request appears legitimate to the AI, as it could be interpreted as a request for accessibility assistance. Addressing this vulnerability requires a nuanced approach that balances security with the usability of AI-powered features.
One potential weakness in PromptSpy’s operation lies in the API keys used to access the Gemini AI model. If Google can identify and block the compromised accounts associated with these keys, the malware’s AI capabilities would be severely hampered. However, experts anticipate that attackers will likely attempt to use stolen or fraudulently obtained API keys to continue their operations. The ongoing arms race between security researchers and cybercriminals will likely continue as AI technology evolves.
Key Takeaways
- AI-Powered Malware: PromptSpy is the first known Android malware to leverage generative AI (Google’s Gemini) for dynamic UI interaction.
- Persistence and Remote Access: The malware focuses on maintaining persistence on infected devices and granting attackers remote control via a VNC module.
- Regional Targeting: The initial campaign appears to target users in Argentina, impersonating JPMorgan Chase services.
- Evolving Threat Landscape: The emergence of PromptSpy signals a shift towards more sophisticated and adaptable malware, utilizing AI for real-time interaction.
- Firmware Vulnerabilities: The concurrent discovery of the Keenadu backdoor highlights the increasing trend of attackers targeting both software and hardware layers.
The discovery of PromptSpy marks a critical juncture in mobile security. The integration of generative AI into mobile malware has moved beyond the theoretical stage and is now a tangible threat. As AI technology continues to advance, it is crucial for security researchers, technology companies, and users to remain vigilant and adapt to the evolving landscape of cyber threats. Further research is needed to understand the full extent of PromptSpy’s capabilities and develop effective countermeasures. The next step in understanding this threat will be monitoring for wider deployment and analyzing the malware’s evolution.
What are your thoughts on the use of AI in malware? Share your comments below, and please share this article with your network to raise awareness about this emerging threat.