Se trata del primer malware para Android con aparente motivación económica que utiliza la IA generativa como parte de su flujo de ejecución
FeaturedFinancial security

ESET discovery: First Android threat using generative AI

This is the first Android malware with an apparent financial motivation that uses generative AI as part of its execution flow

The research team at ESET, a leading company in proactive threat detection, has discovered the first known Android malware that abuses generative AI in its execution flow to achieve persistence. Since the attackers rely on an AI model (specifically, Google’s Gemini) to guide the malicious manipulation of the user interface, ESET has named this family PromptSpy. The malware can capture data from the lock screen, stop uninstallation attempts, collect device information, take screenshots, record screen activity, and much more. This is the second AI-based malware discovered by ESET Research, following PromptLock in August 2025, the first known case of AI-driven ransomware.

This is information of general technological interest in the field of cybersecurity, and of course, an important finding for all Android users in particular.

Key points of the ESET research

  • PromptSpy is the first known Android malware that uses generative AI in its execution.
  • PromptSpy uses Google’s Gemini algorithm to interpret the elements displayed on the compromised device’s screen and provide instructions on how to perform various actions to remain in the recent apps list.
  • The primary goal is to deploy a Virtual Network Computing (VNC) module on the victim’s device, allowing attackers to view the screen and perform actions remotely.
  • PromptSpy can capture lock screen data, prevent uninstallation, gather device information, take screenshots, record screen activity, and perform other malicious activities.

This time, while generative AI is used in a portion of the code responsible for achieving persistence, it has a significant impact on the malware’s adaptability. Specifically, Gemini is used to analyze the current screen and provide PromptSpy with instructions on how to ensure the malicious application remains in the recent apps list, preventing the system from easily removing it. The AI ​​model and prompt are predefined in the code and cannot be modified.

“The use of generative AI allows malicious actors to adapt to virtually any device, design, or version of the Android operating system, which can greatly expand the number of potential victims,” says Lukáš Štefanko, the ESET researcher who discovered PromptSpy. “The main objective of this malware is to deploy an embedded VNC module, which gives operators remote access to the victim’s device,” Štefanko adds.

PromptSpy is distributed through a specific website and has never been available on Google Play

The expert and researcher elaborates that, based on linguistic localization clues and distribution vectors observed during the analysis, this campaign appears to be financially motivated and primarily targeting users in Argentina.

PromptSpy is distributed through a specific website and has never been available on Google Play. However, as a partner of the App Defense Alliance, ESET shared the findings with Google. Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services.

Given that the app’s name is MorganArg and its icon appears to be inspired by Morgan Chase, the malware is likely trying to impersonate Morgan Chase bank. MorganArg, almost certainly an abbreviation of “Morgan Argentina,” also appears as the name of the cached website, suggesting a regional focus.

PromptSpy blocks uninstallation by overlaying invisible elements on the screen. The only way for the victim to remove it is to restart the device in safe mode, where third-party apps are disabled and can be uninstalled normally. To enter safe mode, users typically have to press and hold the power button, press and hold “Power off,” and confirm the “Reboot to safe mode” message (although the exact method may vary depending on the device and manufacturer).

Once the phone restarts in safe mode, the user can go to Settings → Applications → MorganArg and uninstall it without interference.

“Although PromptSpy only uses Gemini in one of its functions, it still demonstrates how the implementation of these tools can make malware more dynamic, providing malicious actors with ways to automate actions that would normally be more difficult with traditional scripts,” says Štefanko of ESET.

ESET invites you to learn more about cybersecurity by visiting: https://www.welivesecurity.com/es/.

For other useful preventative information, also available in Venezuela: https://www.eset.com/ve/, and on their social media channels @eset_ve. Also on Instagram  (@esetla) and Facebook (ESET).

Information and image provided by ESET and Comstat Rowland

Follow our news on Google! For current, interesting, and accurate information, click here to see all the content on Bitfinance.news. You can also find us on X/Twitter and Instagram

You might also like
Featured

IMF considers resuming relations with Venezuela

Business

Airbus could reach a record aircraft sales in 2026

Featured

The Hyundai Creta is now on sale in Venezuela: a compact SUV for everyday life and…

Featured

South Korea sentences former President Yoon Suk-yeol to life imprisonment

Featured

Conindustria estimates growth exceeding 12 % in Venezuela

Business

Jagi Caps and Cashea have launched an alliance for a payment plan

More Stories

The ordinary world: when selling becomes automatic

Tinder incorporated voluntary identity verification for its…

Prices must be expressed in sovereign and digital bolívar…