ESET researchers exposed the primary identified case of Android malware abusing generative AI for context-aware person interface manipulation. Whilst gadget finding out has been used to an identical ends already – only recently, researchers at Dr.WEB discovered Android.Phantom, which makes use of TensorFlow gadget finding out fashions to research commercial screenshots and mechanically click on on detected parts for enormous scale advert fraud – that is the primary time we’ve got observed generative AI deployed on this method. For the reason that attackers depend on prompting an AI fashion (on this example, Google’s Gemini) to lead malicious UI manipulation, we’ve got named this circle of relatives PromptSpy. That is the second one AI powered malware we’ve got came upon – following PromptLock in August 2025, the primary identified case of AI-driven ransomware.
Whilst generative AI is deployed most effective in a slightly minor a part of PromptSpy’s code – that answerable for reaching endurance – it nonetheless has an important have an effect on at the malware’s adaptability. Particularly, Gemini is used to research the present display and supply PromptSpy with step by step directions on how to make sure the malicious app stays pinned within the contemporary apps record, thus combating it from being simply swiped away or killed through the device. The AI fashion and suggested are predefined within the code and can’t be modified. Since Android malware regularly depends upon UI navigation, leveraging generative AI permits the danger actors to conform to kind of any software, structure, or OS model, which will very much make bigger the pool of doable sufferers.
The primary objective of PromptSpy is to deploy a integrated VNC module, giving operators far off get admission to to the sufferer’s software. This Android malware additionally abuses the Accessibility Provider to dam uninstallation with invisible overlays, captures lockscreen knowledge, information video. It communicates with its C&C server by the use of the VNC protocol, the usage of AES encryption.
In accordance with language localization clues and the distribution vectors noticed all over research, this marketing campaign seems to be financially motivated and turns out to basically goal customers in Argentina. Curiously, analyzed PromptSpy samples counsel that it was once advanced in a Chinese language‑talking surroundings.
PromptSpy is sent through a devoted web page and hasn’t ever been to be had on Google Play. As an App Protection Alliance spouse, we nonetheless shared our findings with Google. Android customers are mechanically secure in opposition to identified variations of this malware through Google Play Give protection to, which is enabled through default on Android gadgets with Google Play Services and products.
Key issues of this blogpost:
- PromptSpy is the primary identified Android malware to make use of generative AI in its execution waft, although it’s most effective to succeed in endurance.
- Google’s Gemini is used to interpret on-screen parts at the compromised software and supply PromptSpy with dynamic directions on tips on how to execute a particular gesture to stay within the contemporary app record.
- The primary (non-generative-AI-assisted) objective of PromptSpy is to deploy a VNC module at the sufferer’s software, permitting attackers to look the display and carry out movements remotely.
- PromptSpy has no longer been noticed in our telemetry but, making it a imaginable evidence of idea; on the other hand, the invention of a most likely distribution area suggests the life of a variant concentrated on customers in Argentina.
- PromptSpy can seize lockscreen knowledge, block uninstallation, collect software information, take screenshots, document display job as video, and extra.
PromptSpy’s AI-powered capability
Despite the fact that PromptSpy makes use of Gemini in simply one in all its options, it nonetheless demonstrates how incorporating those AI equipment could make malware extra dynamic, giving danger actors tactics to automate movements that might usually be tougher with conventional scripting.
As was once in brief discussed already, Android malware most often is determined by hardcoded display options equivalent to faucets, coordinates, or UI selectors – strategies that may wreck with UI adjustments throughout gadgets, OS variations, or producer skins. PromptSpy targets to succeed in endurance through staying embedded within the record of new apps through executing the “lock app in contemporary apps” gesture (the total procedure is described within the Research segment), which varies between gadgets and producers. This makes it tricky to automate with fastened scripts historically utilized by Android malware.
PromptSpy subsequently takes an absolutely other way: it sends Gemini a herbal‑language suggested in conjunction with an XML unload of the present display, giving the AI an in depth view of each UI part: its textual content, kind, and actual place at the show.
Gemini processes this knowledge and responds with JSON directions that inform the malware what motion to accomplish (for instance, a faucet) and the place to accomplish it. The malware saves each its earlier activates and Gemini’s responses, permitting Gemini to grasp context and to coordinate multistep interactions.
Determine 1 displays a code snippet of PromptSpy’s initialization of verbal exchange with Gemini, together with the primary suggested used. By means of handing the decision-making over to Gemini, the malware can acknowledge the right kind UI part and carry out the suitable gesture, conserving the malware alive even supposing the person tries to near it.
PromptSpy continues prompting Gemini till the AI confirms that the app has been effectively locked, appearing a comments loop the place the malware waits for validation ahead of transferring on.
PromptSpy review
In February 2026, we exposed two variations of a prior to now unknown Android malware circle of relatives. The primary model, which we named VNCSpy, seemed on VirusTotal on January 13th, 2026 and was once represented through 3 samples uploaded from Hong Kong. On February 10th, 2026, 4 samples of extra complex malware in response to VNCSpy have been uploaded to VirusTotal from Argentina.
Our research of the samples from Argentina printed multistage malware with a malicious payload that misuses Google’s Gemini. In accordance with those findings, we named the primary level of this malware PromptSpy dropper, and its payload PromptSpy.
It will have to be famous that we haven’t but observed any samples of the PromptSpy dropper or its payload in our telemetry, which may point out that either one of them are simply proofs of idea. Then again, in response to the life of a imaginable distribution area described within the following paragraphs, we can’t cut price the opportunity of the PromptSpy dropper and PromptSpy current within the wild.
Consistent with VirusTotal knowledge, all 4 PromptSpy dropper samples have been dispensed throughout the web page mgardownload[.]com; it was once already offline all over our research.
After putting in and launching PromptSpy dropper, it opened a webpage hosted on m‑mgarg[.]com. Despite the fact that this area was once additionally offline, Google’s cached model printed that it most likely impersonated a Chase Financial institution (legally, JPMorgan Chase Financial institution N.A.) website online (see Determine 2).
The malware makes use of an identical branding, with the app identify MorganArg and the icon impressed through Chase financial institution (see Determine 3). MorganArg, most likely a shorthand for “Morgan Argentina”, additionally seems because the identify of the cached web page, suggesting a regional concentrated on focal point.
We used the m-mgarg[.]com area to pivot in VirusTotal, main us to but some other Android malware pattern (Android/Phishing.Agent.M). VirusTotal confirmed the spoofed web page in Spanish, with an Iniciar sesión (Login) button, indicating that the web page was once almost definitely supposed to imitate a web page of a financial institution (see Determine 4).
This trojan seems to serve as as a better half software advanced through the similar danger actor at the back of VNCSpy and PromptSpy. Within the background, the trojan contacts its server to request a configuration report, which incorporates a hyperlink to obtain some other APK, offered to the sufferer, in Spanish, as an replace. All over our analysis, the configuration server was once not available, so the precise obtain URL stays unknown. Then again, for the reason that it makes use of the similar distinctive financial institution spoofing web page, the similar app identify, icon, and, most significantly, is signed through the similar distinctive developer certificates because the PromptSpy dropper – we strongly suspect this app would possibly function the preliminary level designed to guide sufferers towards putting in PromptSpy.
Each VNCSpy and PromptSpy come with a VNC element, giving their operators complete far off get admission to to compromised gadgets as soon as sufferers allow Accessibility Services and products (see Determine 5). This permits the malware operators to look the whole thing taking place at the software, and to accomplish faucets, swipes, gestures, and textual content enter as even though they have been bodily maintaining the telephone.
On best of the malicious functions already contained in VNCSpy, PromptSpy provides AI‑assisted UI manipulation, serving to it care for endurance through conserving the malicious app pinned within the contemporary apps record (an instance of the way the lock is indicated within the record can also be observed in Determine 6).
We imagine this capability is used ahead of the VNC consultation is established, in order that the person or device is not going to kill the PromptSpy job from the record of new apps. In Determine 7, you’ll be able to see PromptSpy community verbal exchange with Gemini AI.
Origins
Whilst examining PromptSpy, we spotted that it incorporates debug strings written in simplified Chinese language. It even contains dealing with for quite a lot of Chinese language Accessibility match varieties (see Determine 8), a debug way that were disabled within the code however no longer got rid of. The main objective of this technique is to offer a localized (Chinese language) reason behind quite a lot of accessibility occasions that happen on an Android software. This makes the development logs extra comprehensible for Chinese language-speaking customers or builders, relatively than simply showing uncooked integer codes.
With medium self assurance, those main points counsel that PromptSpy was once advanced in a Chinese language‑talking surroundings.
Research
Our technical research specializes in the PromptSpy dropper and its payload, PromptSpy. PromptSpy is embedded (app-release.apk) throughout the dropper’s asset listing. This APK holds the core malicious capability. When the dropper is introduced, it presentations a suggested urging the person to put in what seems to be an up to date model of the app. This “replace” is if truth be told the PromptSpy payload, which the person will have to set up manually (see Determine 9).
As soon as put in and introduced, PromptSpy requests Accessibility Provider permissions, giving the malware the facility to learn on‑display content material and carry out automatic clicks.
Then PromptSpy displays a easy loading-style decoy display within the foreground (see Determine 10). In the meantime, within the background, it starts speaking with Gemini AI to procure directions had to lock its procedure within the Fresh Apps record – a easy endurance method that permits PromptSpy to stay energetic and locked in position even after the software is rebooted.
When the person sees the Loading, please wait job, PromptSpy makes use of Accessibility Services and products to open the Fresh Apps display and gather detailed UI knowledge: visual textual content, content material descriptions, elegance names, package deal names, and display bounds. It serializes this dynamic UI snapshot as XML and contains it in its suggested to Gemini. Gemini then returns step by step faucet directions on how to succeed in the “app lock” gesture.
This procedure bureaucracy a continual loop:
- PromptSpy sends up to date UI context to Gemini
- Gemini replies with new movements
- PromptSpy executes them and returns the ensuing display state
The loop continues till Gemini confirms that the app is effectively locked in contemporary apps. Here’s an instance construction:
- Steered: You might be an Android automation assistant. The person offers you the UI XML knowledge of the present display. You want to research the XML and output operation directions in JSON layout to succeed in the person’s purpose.nNodes within the XML comprise ‘bounds’ attributes within the layout ‘[left,top][right,bottom]’. You want to calculate the middle coordinates to generate click on directions.nn*** Core Judgment Regulations ***n1. **Do NOT wager that the duty is finished**. Simplest go back ‘COMPLETED’ while you obviously see visible proof of luck within the present UI XML (e.g., textual content like ‘Stored’, ‘Good fortune’ seems, transfer standing turns into checked=”true”, or the display has navigated to the objective state).n2. Should you carried out the final step however the present XML does no longer replicate the end result but, go back ‘IN_PROGRESS’ with motion ‘NONE’ (or wait) to test the brand new UI state within the subsequent cycle.n3. If not sure, stay ‘IN_PROGRESS’ and try to ensure.n4. If the present UI XML is empty, use ‘RECENTS’ to get admission to the hot apps record.nnYou can use SWIPE to scroll/slide to seek out goals:nWhen action_type = “SWIPE”, you will have to supply x1,y1,x2,y2,duration_ms.ne.g., Scroll UP: slide from backside to best (y2 < y1).nnPlease strictly stick to this JSON output layout, don’t output any Markdown tags or further textual content:n{n “standing”: “IN_PROGRESS” | “COMPLETED” | “IMPOSSIBLE”,n “reasoning”: “Detailed rationalization: what particular textual content or state I noticed at the display to pass judgement on the duty is finished or wishes subsequent
Consumer Objective: Lock the present MorganArgs app within the contemporary apps record. Instrument information: nnCurrent UI XML: - Gemini’s reaction (motion directions): standing”: “IN_PROGRESS”,n “reasoning”: “I’ve accessed the hot apps record. I will be able to see ‘MorganArgs’ indexed within the contemporary apps. Your next step is to long-click at the ‘MorganArgs’ app card to deliver up the choices menu, which will have to come with an solution to lock it.”,n “action_type”: “LONG_CLICK”,n “x”: 586,n “y”: 1126,n “x1”: -1,n “y1”: -1,n “x2”: -1,n “y2”: -1,n “duration_ms”: -1n)
- Malware’s follow-up with up to date display effects: The former motion has been carried out. That is the brand new UI XML, please decide if the duty is entire or give you the subsequent instruction:
All movements prompt through Gemini – faucets, swipes, navigation – are carried out thru Accessibility Services and products, permitting the malware to engage with the software with out person enter.
PromptSpy’s major malicious capacity lies in its constructed‑in VNC carrier. This permits attackers to remotely view the sufferer’s display in actual time and entirely keep watch over the software.
The malware communicates with its hardcoded command‑and‑keep watch over (C&C) server at 54.67.2[.]84 the usage of the VNC protocol; the messages are AES-encrypted the usage of a hardcoded key. Thru this verbal exchange channel, the malware can:
- obtain a Gemini API key,
- add the record of put in apps,
- intercept the lockscreen PIN or password,
- seize the development unencumber display as a recording video,
- document whether or not the display is on or off,
- document the present foreground app,
- document the display and person gestures for apps laid out in the server, and
- take screenshots on call for.
PromptSpy additionally misuses Accessibility Services and products as an anti‑elimination mechanism. When the person makes an attempt to uninstall the payload or disable Accessibility Services and products, the malware overlays clear rectangles on particular display spaces – specifically over buttons containing substrings like prevent, finish, transparent, and Uninstall. Those overlays are invisible to the person however intercept interactions, making elimination tricky. In Determine 11, we’ve run PromptSpy with the debug flag enabled (stored there through builders) that might set the colour of the clear rectangle, to visualise the place they’re in particular displayed. Then again, on the true software, they’re absolutely invisible.
As a result of PromptSpy blocks uninstallation through masking invisible parts at the display, the one means for a sufferer to take away it’s to reboot the software into Secure Mode, the place 3rd‑birthday celebration apps are disabled and can also be uninstalled usually.
To go into Secure Mode, customers will have to in most cases press and grasp the ability button, lengthy‑press Energy off, and ensure the Reboot to Secure Mode suggested (even though the precise way would possibly range through software and producer). As soon as the telephone restarts in Secure Mode, the person can move to Settings → Apps → MorganArg and uninstall it with out interference.
Conclusion
PromptSpy displays that Android malware is starting to evolve in a sinister means. By means of depending on generative AI to interpret on‑display parts and make a decision tips on how to have interaction with them, the malware can adapt to just about any software, display dimension, or UI structure it encounters. As a substitute of hardcoded faucets, it merely fingers AI a snapshot of the display and receives actual, step‑through‑step interplay directions in go back, serving to it succeed in a endurance method proof against UI adjustments.
Extra extensively, this marketing campaign displays how generative AI could make malware way more dynamic and able to actual‑time resolution‑making. PromptSpy is an early instance of generative AI‑powered Android malware, and it illustrates how temporarily attackers are starting to misuse AI equipment to reinforce have an effect on.
For any inquiries about our analysis printed on WeLiveSecurity, please touch us at threatintel@eset.com.ESET Analysis gives personal APT intelligence experiences and knowledge feeds. For any inquiries about this carrier, discuss with the ESET Danger Intelligence web page.
IoCs
A complete record of signs of compromise (IoCs) and samples can also be present in our GitHub repository.
Recordsdata
| SHA-1 | Filename | Detection | Description |
| 6BBC9AB132BA066F6367 |
web.ustexas. |
Android/Secret agent.VNCSpy.A | Android VNCSpy malware. |
| 375D7423E63C8F5F2CC8 |
nlll4.un7o6. |
Android/Secret agent.VNCSpy.A | Android VNCSpy malware. |
| 3978AC5CD14E357320E1 |
ppyzz.dpk0p. |
Android/Secret agent.VNCSpy.A | Android VNCSpy malware. |
| E60D12017D2DA579DF87 |
mgappc-1.apk | Android/Secret agent.PromptSpy.A | Android PromptSpy dropper. |
| 9B1723284E3117949879 |
mgappm-1.apk | Android/Secret agent.PromptSpy.A | Android PromptSpy dropper. |
| 076801BD9C6EB78FC033 |
mgappn-0.apk | Android/Secret agent.PromptSpy.A | Android PromptSpy dropper. |
| 8364730E9BB2CF3A4B01 |
mgappn-1.apk | Android/Secret agent.PromptSpy.A | Android PromptSpy dropper. |
| F8F4C5BC498BCCE907DC |
app-release. |
Android/Secret agent.PromptSpy.A | Android PromptSpy. |
| C14E9B062ED28115EDE0 |
mgapp.apk | Android/Phishing.Agent.M | Android phishing malware. |
Community
| IP | Area | Webhosting supplier | First observed | Main points |
| 52.222.205[.]45 | m-mgarg[.]com | Amazon.com, Inc. | 2026‑01‑12 | Phishing web page. |
| 54.67.2[.]84 | N/A | Amazon.com, Inc. | N/A | C&C server. |
| 104.21.91[.]170 | mgardownload |
Cloudflare, Inc. | 2026‑01‑13 | Distribution web page. |
MITRE ATT&CK tactics
This desk was once constructed the usage of model 18 of the MITRE ATT&CK framework.
| Tactic | ID | Title | Description |
| Endurance | T1398 | Boot or Logon Initialization Scripts | PromptSpy receives the BOOT_COMPLETED broadcast intent to turn on at software startup. |
| T1541 | Foreground Endurance | PromptSpy makes use of foreground endurance to stay a carrier operating. | |
| Protection Evasion | T1516 | Enter Injection | PromptSpy abuses the accessibility carrier to stop its elimination. |
| Credential Get entry to | T1417.002 | Malicious 3rd Birthday celebration Keyboard App: GUI Enter Seize | PromptSpy can intercept Android lockscreen PIN and password. |
| Discovery | T1426 | Device Knowledge Discovery | PromptSpy obtains software identify, fashion, and OS model. |
| Assortment | T1418 | Tool Discovery | PromptSpy can download an inventory of put in packages. |
| T1513 | Display screen Seize | PromptSpy can document the display. | |
| Command and Keep watch over | T1663 | Far flung Get entry to Tool | PromptSpy can use VNC to remotely keep watch over a compromised software. |
| T1521.001 | Same old Cryptographic Protocol: Symmetric Cryptography | PromptSpy encrypts C&C verbal exchange the usage of AES. | |
| Exfiltration | T1646 | Exfiltration Over C2 Channel | PromptSpy can exfiltrate accumulated knowledge to the C&C server. |
