Cybercrime,
Endpoint Security,
Fraud Management & Cybercrime
Experts Reveal PromptSpy Leverages AI for Enhanced Device Persistence
Recent investigations have unearthed a novel strain of Android malware known as PromptSpy, which harnesses Google’s Gemini generative artificial intelligence model to automate its persistence mechanisms. This development represents the second known instance of AI-enhanced mobile malware, as reported by cybersecurity researchers.
PromptSpy has been characterized by the security firm Eset as a pioneering example of generative AI being directly integrated into operational Android malware, enabling it to adapt to diverse device environments and evade removal strategies. Researchers encountered this malware in Android application packages uploaded to VirusTotal, though Eset has not yet observed any widespread instances of PromptSpy in the wild.
This discovery builds on Eset’s earlier revelation of “PromptLock,” an AI-powered ransomware strain unveiled in August 2025 that utilized a locally hosted large language model to dynamically generate encryption routines. The latest malware marks a shift in how threat actors exploit AI models to navigate traditional constraints associated with mobile malware.
PromptSpy’s core innovation lies in its interaction with the Android user interface, moving away from static automation scripts that often malfunction. Instead, the malware captures an XML dump of the user’s active screen, which includes text labels and structural identifiers, and transmits this information to Gemini for processing.
Once analyzed, Gemini returns instructions on which interface elements to select or modify. Leveraging these directives, PromptSpy executes the actions locally and continuously updates its operational strategy until it secures persistent access to the device.
The malware’s first step post-installation involves attempting to secure AccessibilityService permissions, a high-risk Android feature that has historically been targeted by Trojans. This maneuver showcases a technique often seen in attacks aiming for initial access and persistence, as outlined in the MITRE ATT&CK framework.
Furthermore, researchers have noted that PromptSpy integrates removal-prevention features, overlaying imperceptible interface elements over common removal prompts. This tactic captures user interactions, effectively thwarting standard uninstallation efforts. The malware’s functionality extends to gathering device information, uploading lists of installed applications, and capturing screen interaction data.
Tracing the origins of PromptSpy, Eset identified links to a standalone website mimicking JPMorgan Chase under the alias MorganArg, which suggests that the campaign may specifically target users in Argentina. Additionally, the presence of Chinese-language strings within the code hints at possible development connections to Chinese-speaking entities, although no affiliation with known threat groups has been established.