ESET researchers discovered PromptSpy, the first known Android malware to integrate generative AI directly into its execution flow, marking a new evolution in mobile threats that leverage artificial intelligence for context-aware user interface manipulation.
The malware prompts Google’s Gemini to analyze current screen layouts and provide step-by-step instructions for keeping itself locked in Android’s recent apps list, preventing users from easily closing or killing the malicious process.
PromptSpy represents the first deployment of generative AI for UI automation in malicious applications. The discovery follows ESET’s August 2025 identification of PromptLock, the first known AI-powered ransomware, demonstrating accelerating criminal adoption of generative AI capabilities.
The malware primarily targets users in Argentina through financial fraud campaigns. ESET shared findings with Google, and Android users with Google Play Services are automatically protected through Play Protect, which blocks known versions. However, PromptSpy never appeared on Google Play, instead distributing through dedicated phishing websites impersonating Chase Bank.
PromptSpy’s AI implementation remains narrowly focused—Gemini handles only the persistence mechanism while traditional techniques power the core functionality. Yet the integration demonstrates how generative AI enables malware to adapt across device manufacturers, operating system versions and user interface variations that would break traditional hardcoded screen automation.
Also read: New Android Malware Locks Device Screens and Demands a Ransom
Android malware typically relies on fixed coordinates or UI element identifiers that fragment across Samsung’s One UI, Xiaomi’s MIUI, OnePlus’ OxygenOS and dozens of other manufacturer customizations. The “lock app in recent apps” gesture varies significantly between devices, making automation through traditional scripts nearly impossible without maintaining separate codebases for each manufacturer.
PromptSpy sidesteps this complexity by sending Gemini natural language prompts alongside XML dumps capturing the complete UI hierarchy—every element’s text, type, class name and exact screen coordinates. Gemini processes this contextual snapshot and returns JSON-formatted instructions specifying precise actions and coordinates for the malware to execute through Android’s Accessibility Services.
The system maintains conversation history, allowing Gemini to understand multi-step interactions. PromptSpy continues prompting until the AI confirms successful app locking, creating a feedback loop where malware waits for validation before proceeding. This represents fundamentally different architecture from traditional malware’s rigid if-then logic.
The malware’s core payload deploys a VNC module granting attackers remote access to compromised devices. PromptSpy communicates with its command-and-control server at 54.67.2.84 using VNC protocol with AES-encrypted messages. Through this channel, attackers can receive Gemini API keys, upload installed app lists, intercept lockscreen credentials, capture pattern unlock screens as video, report screen status and foreground applications, record screens for specified apps and capture screenshots on demand.
Distribution occurred through mgardownload[.]com, which redirected victims to m-mgarg[.]com—a phishing site impersonating Chase Bank with Spanish language login prompts. Google’s cache revealed the site used branding nearly identical to legitimate Chase interfaces. The malware itself uses the app name “MorganArg” with Chase-inspired iconography, suggesting “Morgan Argentina” as shorthand targeting the region.
Analysis revealed the dropper contains embedded simplified Chinese debug strings and disabled code handling various Chinese Accessibility event types. ESET assesses with medium confidence that PromptSpy was developed in a Chinese-speaking environment, though campaigns target Argentina specifically.
Once installed, PromptSpy requests Accessibility Services permissions—a powerful Android capability allowing apps to read screen content and perform automated interactions. The malware displays a loading screen while background processes communicate with Gemini, gathering UI analysis and executing the locking gesture.
The AI conversation follows a structured pattern. Initial prompts provide detailed instructions: “You are an Android automation assistant. The user will give you the UI XML data of the current screen. You need to analyze the XML and output operation instructions in JSON format to achieve the user’s goal.” The prompt explicitly warns against guessing task completion, requiring visual confirmation before declaring success.
Gemini responds with action instructions including tap coordinates, swipe gestures and navigation commands. PromptSpy executes these through Accessibility Services, then returns updated screen state for the next iteration. This continues until Gemini confirms the malware achieved its persistence goal.
PromptSpy also weaponizes Accessibility Services for anti-removal protection. When users attempt uninstallation or disabling Accessibility Services, the malware overlays invisible rectangles over critical buttons containing substrings like “stop,” “end,” “clear” and “Uninstall.” These transparent overlays intercept user interactions, making removal nearly impossible through normal means.
The only reliable removal method requires booting into Safe Mode, where third-party apps are disabled. Users typically access Safe Mode by long-pressing the power button, then long-pressing “Power off” and confirming “Reboot to Safe Mode.” Once restarted, Settings → Apps → MorganArg allows clean uninstallation without malware interference.
ESET has not observed PromptSpy in telemetry data, suggesting it may remain a proof-of-concept. However, the existence of distribution domains and companion phishing applications indicates at least limited deployment targeting Argentina. The researchers discovered a related phishing trojan (Android/Phishing.Agent.M) signed with identical developer certificates, functioning as a potential initial stage leading victims toward PromptSpy installation.
Traditional malware detection focuses on known malicious behaviors or signatures. PromptSpy’s use of legitimate cloud AI services for automation creates detection challenges since the malicious logic exists partially in prompts rather than compiled code.
