Mohit Singh
The Big Picture. Security researchers at ESET have dropped a bombshell. They’ve identified the first known Android Malware Exploits Generative AI technology to actively maintain its grip on infected smartphones. Dubbed “PromptSpy,” this malicious software marks a significant evolution in cyber threats, moving beyond static code to real-time, AI-driven adaptability .
Insiders suggest the core innovation here is survival. Traditionally, malware struggles with the vast fragmentation of the Android ecosystem different screen sizes, manufacturer skins (like Samsung One UI or Xiaomi MIUI), and OS versions break hardcoded attack scripts. Sources say PromptSpy solves this by outsourcing the problem. When it needs to perform a specific action, it takes a snapshot of the device screen’s XML data and sends it to Google’s Gemini AI with a pre-defined prompt asking how to proceed .
The malware aims to “pin” or “lock” itself in the device’s recent apps list. This prevents Android from killing the process during memory cleanup or when the user hits “Clear all.” However, the gesture to lock an app varies wildly by manufacturer. By using Gemini, PromptSpy receives JSON-formatted instructions—detailing exactly where to tap or swipe—and executes them via Android’s Accessibility Service until the AI confirms the app is securely locked .
According to telemetry data reviewed by ESET, the campaign appears highly targeted. The malware uses the app name “MorganArg” and iconography mimicking JPMorgan Chase Bank, specifically targeting users in Argentina. While the distribution domains (mgardownload[.]com and m-mgarg[.]com) are now offline, researchers believe the phishing sites were live long enough to harvest credentials and distribute the payload .
Linguistic clues buried in the code tell a story. The malware contains debug strings and handlers for accessibility events written in simplified Chinese. While ESET attributes this with “medium confidence,” it strongly suggests the developers operated from a Chinese-speaking environment, even if the target was South American banking customers .
Beyond the AI novelty, PromptSpy’s primary function is old-school espionage. It deploys a built-in VNC (Virtual Network Computing) module that grants attackers full remote control. Once the victim grants Accessibility permissions which the malware aggressively requests the operators can literally see and control the phone in real-time. Key capabilities include:
- Uploading a list of installed apps
- Intercepting lock screen PINs and passwords
- Recording the screen and user gestures as video
- Capturing on-demand screenshots
Victims face a frustrating battle during uninstallation. When a user tries to revoke permissions or delete the app, PromptSpy overlays invisible rectangles on top of buttons like “Stop,” “Clear,” or “Uninstall.” Users tap blindly, hitting the invisible blocker instead of the actual system button, rendering standard removal attempts useless .
The only known workaround? Boot into Android Safe Mode. This disables all third-party apps, stopping the overlay from loading. From there, users can navigate to Settings and manually delete the “MorganArg” app. Experts advise users who suspect infection to try this immediately .
Notably, ESET has not observed PromptSpy in its widespread telemetry. Researcher Lukas Stefanko noted to BleepingComputer that the limited samples and specific targeting might indicate this is merely a proof-of-concept. However, the existence of dedicated distribution domains and a fake banking site suggests the attackers were—or are—ready to deploy it operationally .
As an App Defense Alliance partner, ESET shared its findings with Google. Fortunately, Google Play Protect, which is enabled by default on devices with Google Play Services, blocks known versions of this malware. Users are advised to ensure Play Protect is active and to avoid sideloading apps from unverified websites .