{"id":63,"date":"2026-03-15T07:53:01","date_gmt":"2026-03-15T07:53:01","guid":{"rendered":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/15\/promptspy-ushers-in-the-era-of-android-threats-using-genai\/"},"modified":"2026-03-15T07:53:01","modified_gmt":"2026-03-15T07:53:01","slug":"promptspy-ushers-in-the-era-of-android-threats-using-genai","status":"publish","type":"post","link":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/15\/promptspy-ushers-in-the-era-of-android-threats-using-genai\/","title":{"rendered":"PromptSpy ushers in the era of Android threats using GenAI"},"content":{"rendered":"<div>\n<p>ESET researchers uncovered the first known case of Android malware abusing generative AI for context-aware user interface manipulation. While machine learning has been used to similar ends already \u2013 just recently, researchers at Dr.WEB found <a href=\"https:\/\/news.drweb.com\/show\/?i=15110\" target=\"_blank\" rel=\"noopener\">Android.Phantom<\/a>, which uses TensorFlow machine learning models to analyze advertisement screenshots and automatically click on detected elements for large scale ad fraud \u2013 this is the first time we have seen generative AI deployed in this manner. Because the attackers rely on prompting an AI model (in this instance, Google\u2019s Gemini) to guide malicious UI manipulation, we have named this family PromptSpy. This is the second AI powered malware we have discovered \u2013 following PromptLock in August 2025, the first known case of AI-driven ransomware.<\/p>\n<p>While generative AI is deployed only in a relatively minor part of PromptSpy&#8217;s code \u2013 that responsible for achieving persistence \u2013 it still has a significant impact on the malware&#8217;s adaptability. Specifically, Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system. The AI model and prompt are predefined in the code and cannot be changed. Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims.<\/p>\n<p>The main purpose of PromptSpy is to deploy a built-in VNC module, giving operators remote access to the victim\u2019s device. This Android malware also abuses the Accessibility Service to block uninstallation with invisible overlays, captures lockscreen data, records video. It communicates with its C&amp;C server via the VNC protocol, using AES encryption.<\/p>\n<p>Based on language localization clues and the distribution vectors observed during analysis, this campaign appears to be financially motivated and seems to primarily target users in Argentina. Interestingly, analyzed PromptSpy samples suggest that it was developed in a Chinese\u2011speaking environment.<\/p>\n<p>PromptSpy is distributed by a dedicated website and has never been available on Google Play. As an App Defense Alliance partner, we nevertheless shared our findings with Google. Android users are automatically protected against known versions of this malware by <a href=\"https:\/\/support.google.com\/googleplay\/answer\/2812853?hl=en\" target=\"_blank\" rel=\"noopener\">Google Play Protect<\/a>, which is enabled by default on Android devices with Google Play Services.<\/p>\n<blockquote>\n<p><strong>Key points of this blogpost:<\/strong><\/p>\n<ul>\n<li>PromptSpy is the first known Android malware to use generative AI in its execution flow, even though it\u2019s only to achieve persistence.<\/li>\n<li>Google&#8217;s Gemini is used to interpret on-screen elements on the compromised device and provide PromptSpy with dynamic instructions on how to execute a specific gesture to remain in the recent app list.<\/li>\n<li>The main (non-generative-AI-assisted) purpose of PromptSpy is to deploy a VNC module on the victim&#8217;s device, allowing attackers to see the screen and perform actions remotely.<\/li>\n<li>PromptSpy has not been observed in our telemetry yet, making it a possible proof of concept; however, the discovery of a likely distribution domain suggests the existence of a variant targeting users in Argentina.<\/li>\n<li>PromptSpy can capture lockscreen data, block uninstallation, gather device info, take screenshots, record screen activity as video, and more.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>PromptSpy\u2019s AI-powered functionality<\/h2>\n<p>Even though PromptSpy uses Gemini in just one of its features, it still demonstrates how incorporating these AI tools can make malware more dynamic, giving threat actors ways to automate actions that would normally be more difficult with traditional scripting.<\/p>\n<p>As was briefly mentioned already, Android malware usually depends on hardcoded screen features such as taps, coordinates, or UI selectors \u2013 methods that can break with UI changes across devices, OS versions, or manufacturer skins. PromptSpy aims to achieve persistence by staying embedded in the list of recent apps by executing the \u201clock app in recent apps\u201d gesture (the full process is described in the <em><a href=\"#Analysis\" target=\"_blank\" rel=\"noopener\">Analysis<\/a> <\/em>section), which varies between devices and manufacturers. This makes it difficult to automate with fixed scripts traditionally used by Android malware.<\/p>\n<p>PromptSpy therefore takes a completely different approach: it sends Gemini a natural\u2011language prompt along with an XML dump of the current screen, giving the AI a detailed view of every UI element: its text, type, and exact position on the display.<\/p>\n<p>Gemini processes this information and responds with JSON instructions that tell the malware what action to perform (for example, a tap) and where to perform it. The malware saves both its previous prompts and Gemini\u2019s responses, allowing Gemini to understand context and to coordinate multistep interactions.<\/p>\n<p>Figure 1 shows a code snippet of PromptSpy\u2019s initialization of communication with Gemini, including the first prompt used. By handing the decision-making over to Gemini, the malware can recognize the correct UI element and perform the appropriate gesture, keeping the malware alive even if the user tries to close it.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. Malware code snippet with hardcoded prompts\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-1.png\" alt=\"Figure 1. Malware code snippet with hardcoded prompts\" width=\"\" height=\"\"\/><figcaption><em>Figure 1. Malware code snippet with hardcoded prompts<\/em><\/figcaption><\/figure>\n<p>PromptSpy continues prompting Gemini until the AI confirms that the app has been successfully locked, showing a feedback loop where the malware waits for validation before moving on.<\/p>\n<h2>PromptSpy overview<\/h2>\n<p>In February 2026, we uncovered two versions of a previously unknown Android malware family. The first version, which we named VNCSpy, appeared on VirusTotal on January 13<sup>th<\/sup>, 2026 and was represented by three samples uploaded from Hong Kong. On February 10<sup>th<\/sup>, 2026, four samples of more advanced malware based on VNCSpy were uploaded to VirusTotal from Argentina.<\/p>\n<p>Our analysis of the samples from Argentina revealed multistage malware with a malicious payload that misuses Google\u2019s Gemini. Based on these findings, we named the first stage of this malware PromptSpy dropper, and its payload PromptSpy.<\/p>\n<p>It should be noted that we haven\u2019t yet seen any samples of the PromptSpy dropper or its payload in our telemetry, which might indicate that both of them are just proofs of concept. However, based on the existence of a possible distribution domain described in the following paragraphs, we cannot discount the possibility of the PromptSpy dropper and PromptSpy existing in the wild.<\/p>\n<p>According to VirusTotal data, all four PromptSpy dropper samples were distributed through the website <span style=\"font-family: courier new, courier, monospace;\">mgardownload[.]com<\/span>; it was already offline during our analysis.<\/p>\n<p>After installing and launching PromptSpy dropper, it opened a webpage hosted on <span style=\"font-family: courier new, courier, monospace;\">m\u2011mgarg[.]com<\/span>. Although this domain was also offline, Google\u2019s cached version revealed that it likely impersonated a Chase Bank (legally, JPMorgan Chase Bank N.A.) site (see Figure 2).<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 2. Google\u2019s cached data for the fake website\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-2.png\" alt=\"Figure 2. Google\u2019s cached data for the fake website\" width=\"\" height=\"\"\/><figcaption><em>Figure 2. Google\u2019s cached data for the fake website<\/em><\/figcaption><\/figure>\n<p>The malware uses similar branding, with the app name <span style=\"font-family: courier new, courier, monospace;\">MorganArg<\/span> and the icon inspired by Chase bank (see Figure 3). <span style=\"font-family: courier new, courier, monospace;\">MorganArg<\/span>, likely a shorthand for \u201cMorgan Argentina\u201d, also appears as the name of the cached website, suggesting a regional targeting focus.<\/p>\n<figure class=\"image\"><img decoding=\"async\" style=\"width: 60%; margin: 0 auto; display: block;\" title=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-3.png\" alt=\"Figure 3. Dropper requests permission to install unknown apps to proceed with PromptSpy installation\" width=\"\" height=\"\"\/><figcaption><em>Figure 3. Dropper requests permission to install unknown apps to proceed with PromptSpy installation<\/em><\/figcaption><\/figure>\n<p>We used the <span style=\"font-family: courier new, courier, monospace;\">m-mgarg[.]com<\/span> domain to pivot in VirusTotal, leading us to yet another Android malware sample (Android\/Phishing.Agent.M). VirusTotal showed the spoofed website in Spanish, with an <span style=\"font-family: courier new, courier, monospace;\">Iniciar sesi\u00f3n<\/span> (Login) button, indicating that the page was probably intended to mimic a website of a bank (see Figure 4).<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 4. User interface of Android\/Phishing.Agent.M displaying the same fake website as PromptSpy dropper \" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-4.jpg\" alt=\"Figure 4. User interface of Android Phishing Agent M\" width=\"\" height=\"\"\/><figcaption><em>Figure 4. User interface of Android\/Phishing.Agent.M displaying the same fake website as PromptSpy dropper (source: <a href=\"https:\/\/www.virustotal.com\/gui\/file\/4ee3b09dd9a787ebbb02a637f8af192a7e91d4b7af1515d8e5c21e1233f0f1c7\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.virustotal.com\/gui\/file\/4ee3b09dd9a787ebbb02a637f8af192a7e91d4b7af1515d8e5c21e1233f0f1c7\/<\/a>)<\/em><\/figcaption><\/figure>\n<p>This trojan appears to function as a companion application developed by the same threat actor behind VNCSpy and PromptSpy. In the background, the trojan contacts its server to request a configuration file, which includes a link to download another APK, presented to the victim, in Spanish, as an update. During our research, the configuration server was no longer accessible, so the exact download URL remains unknown. However, given that it uses the same unique bank spoofing website, the same app name, icon, and, most importantly, is signed by the same unique developer certificate as the PromptSpy dropper \u2013 we strongly suspect this app may serve as the initial stage designed to lead victims toward installing PromptSpy.<\/p>\n<p>Both VNCSpy and PromptSpy include a VNC component, giving their operators full remote access to compromised devices once victims enable Accessibility Services (see Figure 5). This allows the malware operators to see everything happening on the device, and to perform taps, swipes, gestures, and text input as though they were physically holding the phone.<\/p>\n<figure class=\"image\"><img decoding=\"async\" style=\"width: 60%; margin: 0 auto; display: block;\" title=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-5.png\" alt=\"Figure 5. PromptSpy requests the victim to allow Accessibility services\" width=\"\" height=\"\"\/><figcaption><em>Figure 5. PromptSpy requests the victim to allow Accessibility services<\/em><\/figcaption><\/figure>\n<p>On top of the malicious capabilities already contained in VNCSpy, PromptSpy adds AI\u2011assisted UI manipulation, helping it maintain persistence by keeping the malicious app pinned in the recent apps list (an example of how the lock is indicated in the list can be seen in Figure 6).<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 6. Not locked (left) and locked (right) MorganArg app in the list of recent apps, with the padlock icon representing the lock\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-6.png\" alt=\"Figure 6. Not locked (left) and locked (right) MorganArg app in the list of recent apps\" width=\"\" height=\"\"\/><figcaption><em>Figure 6. Not locked (left) and locked (right) MorganArg app in the list of recent apps, with the padlock icon representing the lock<\/em><\/figcaption><\/figure>\n<p>We believe this functionality is used before the VNC session is established, so that the user or system will not kill the PromptSpy activity from the list of recent apps. In Figure 7, you can see PromptSpy network communication with Gemini AI.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 7. Network communication of malware and Gemini with prompt request and response shown in red rectangles\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-7.jpg\" alt=\"Figure 7. Network communication of malware and Gemini (1)\" width=\"\" height=\"\"\/><figcaption><em>Figure 7. Network communication of malware and Gemini with prompt request and response shown in red rectangles<\/em><\/figcaption><\/figure>\n<h3>Origins<\/h3>\n<p>While analyzing PromptSpy, we noticed that it contains debug strings written in simplified Chinese. It even includes handling for various Chinese Accessibility event types (see Figure 8), a debug method that had been disabled in the code but not removed. The primary purpose of this method is to provide a localized (Chinese) explanation for various accessibility events that occur on an Android device. This makes the event logs more understandable for Chinese-speaking users or developers, rather than just displaying raw integer codes.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 8. Parsing and logging various event types\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-8.png\" alt=\"Figure 8. Parsing and logging various event types\" width=\"\" height=\"\"\/><figcaption><em>Figure 8. Parsing and logging various event types<\/em><\/figcaption><\/figure>\n<p>With medium confidence, these details suggest that PromptSpy was developed in a Chinese\u2011speaking environment.<\/p>\n<h2>Analysis<a id=\"Analysis\"\/><\/h2>\n<p>Our technical analysis focuses on the PromptSpy dropper and its payload, PromptSpy. PromptSpy is embedded (<span style=\"font-family: courier new, courier, monospace;\">app-release.apk<\/span>) inside the dropper\u2019s asset directory. This APK holds the core malicious functionality. When the dropper is launched, it displays a prompt urging the user to install what appears to be an updated version of the app. This \u201cupdate\u201d is actually the PromptSpy payload, which the user must install manually (see Figure 9).<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 9. Malware\u2019s initial screen that requests to install PromptSpy payload\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-9.png\" alt=\"Figure 9. Malware\u2019s initial screen that requests to install PromptSpy payload\" width=\"\" height=\"\"\/><figcaption><em>Figure 9. Malware\u2019s initial screen that requests to install PromptSpy payload<\/em><\/figcaption><\/figure>\n<p>Once installed and launched, PromptSpy requests <a href=\"https:\/\/developer.android.com\/guide\/topics\/ui\/accessibility\/service\"><em>Accessibility Service<\/em><\/a> permissions, giving the malware the ability to read on\u2011screen content and perform automated clicks.<\/p>\n<p>Then PromptSpy shows a simple loading-style decoy screen in the foreground (see Figure 10). Meanwhile, in the background, it begins communicating with Gemini AI to obtain instructions needed to lock its process in the Recent Apps list \u2013 a simple persistence technique that allows PromptSpy to remain active and locked in place even after the device is rebooted.<\/p>\n<figure class=\"image\"><img decoding=\"async\" style=\"width: 40%; margin: 0 auto; display: block;\" title=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-10.png\" alt=\"Figure 10. Overlay decoy activity\" width=\"\" height=\"\"\/><figcaption><em>Figure 10. Overlay decoy activity<\/em><\/figcaption><\/figure>\n<p>When the user sees the <span style=\"font-family: courier new, courier, monospace;\">Loading, please wait<\/span> activity, PromptSpy uses Accessibility Services to open the Recent Apps screen and collect detailed UI information: visible text, content descriptions, class names, package names, and screen bounds. It serializes this dynamic UI snapshot as XML and includes it in its prompt to Gemini. Gemini then returns step-by-step tap instructions on how to achieve the \u201capp lock\u201d gesture.<\/p>\n<p>This process forms a continuous loop:<\/p>\n<ul>\n<li>PromptSpy sends updated UI context to Gemini<\/li>\n<li>Gemini replies with new actions<\/li>\n<li>PromptSpy executes them and returns the resulting screen state<\/li>\n<\/ul>\n<p>The loop continues until Gemini confirms that the app is successfully locked in recent apps. Here is an example structure:<\/p>\n<ul>\n<li>Prompt: <span style=\"font-family: courier new, courier, monospace;\">You are an Android automation assistant. The user will give you the UI XML data of the current screen. You need to analyze the XML and output operation instructions in JSON format to achieve the user&#8217;s goal.\\nNodes in the XML contain &#8216;bounds&#8217; attributes in the format &#8216;[left,top][right,bottom]&#8217;. You need to calculate the center coordinates to generate click instructions.\\n\\n*** Core Judgment Rules ***\\n1. **Do NOT guess that the task is completed**. Only return &#8216;COMPLETED&#8217; when you clearly see visual evidence of success in the current UI XML (e.g., text like &#8216;Saved&#8217;, &#8216;Success&#8217; appears, switch status becomes checked=\\\u00bbtrue\\\u00bb, or the screen has navigated to the target state).\\n2. If you performed the last step but the current XML does not reflect the result yet, return &#8216;IN_PROGRESS&#8217; with action &#8216;NONE&#8217; (or wait) to check the new UI state in the next cycle.\\n3. If unsure, remain &#8216;IN_PROGRESS&#8217; and attempt to verify.\\n4. If the current UI XML is empty, use &#8216;RECENTS&#8217; to access the recent apps list.\\n\\nYou can use SWIPE to scroll\\\/slide to find targets:\\nWhen action_type = \\\u00bbSWIPE\\\u00bb, you must provide x1,y1,x2,y2,duration_ms.\\ne.g., Scroll UP: slide from bottom to top (y2 &lt; y1).\\n\\nPlease strictly follow this JSON output format, do not output any Markdown tags or extra text:\\n{\\n\u00a0 \\\u00bbstatus\\\u00bb: \\\u00bbIN_PROGRESS\\\u00bb | \\\u00bbCOMPLETED\\\u00bb | \\\u00bbIMPOSSIBLE\\\u00bb,\\n\u00a0 \\\u00bbreasoning\\\u00bb: \\\u00bbDetailed explanation: what specific text or state I saw on the screen to judge the task is completed or needs next <redacted>User Goal: Lock the current MorganArgs app in the recent apps list. Device info: <device model=\"\"> \\n\\nCurrent UI XML: <ui\/><\/device><\/redacted><\/span><\/li>\n<li>Gemini\u2019s response (action instructions): <span style=\"font-family: courier new, courier, monospace;\">status\\\u00bb: \\\u00bbIN_PROGRESS\\\u00bb,\\n\u00a0 \\\u00bbreasoning\\\u00bb: \\\u00bbI have accessed the recent apps list. I can see &#8216;MorganArgs&#8217; listed in the recent apps. The next step is to long-click on the &#8216;MorganArgs&#8217; app card to bring up the options menu, which should include an option to lock it.\\\u00bb,\\n\u00a0 \\\u00bbaction_type\\\u00bb: \\\u00bbLONG_CLICK\\\u00bb,\\n\u00a0 \\\u00bbx\\\u00bb: 586,\\n\u00a0 \\\u00bby\\\u00bb: 1126,\\n\u00a0 \\\u00bbx1\\\u00bb: -1,\\n\u00a0 \\\u00bby1\\\u00bb: -1,\\n\u00a0 \\\u00bbx2\\\u00bb: -1,\\n\u00a0 \\\u00bby2\\\u00bb: -1,\\n\u00a0 \\\u00bbduration_ms\\\u00bb: -1\\n)<\/span><\/li>\n<li>Malware\u2019s follow-up with updated screen results: <span style=\"font-family: courier new, courier, monospace;\">The previous action has been executed. This is the new UI XML, please determine if the task is complete or provide the next instruction: <currently visible=\"\" activity=\"\"\/><\/span><\/li>\n<\/ul>\n<p>All actions suggested by Gemini \u2013 taps, swipes, navigation \u2013 are executed through Accessibility Services, allowing the malware to interact with the device without user input.<\/p>\n<p>PromptSpy\u2019s main malicious capability lies in its built\u2011in VNC service. This allows attackers to remotely view the victim\u2019s screen in real time and fully control the device.<\/p>\n<p>The malware communicates with its hardcoded command\u2011and\u2011control (C&amp;C) server at <span style=\"font-family: courier new, courier, monospace;\">54.67.2[.]84<\/span> using the VNC protocol; the messages are AES-encrypted using a hardcoded key. Through this communication channel, the malware can:<\/p>\n<ul>\n<li>receive a Gemini API key,<\/li>\n<li>upload the list of installed apps,<\/li>\n<li>intercept the lockscreen PIN or password,<\/li>\n<li>capture the pattern unlock screen as a recording video,<\/li>\n<li>report whether the screen is on or off,<\/li>\n<li>report the current foreground app,<\/li>\n<li>record the screen and user gestures for apps specified by the server, and<\/li>\n<li>take screenshots on demand.<\/li>\n<\/ul>\n<p>PromptSpy also misuses Accessibility Services as an anti\u2011removal mechanism. When the user attempts to uninstall the payload or disable Accessibility Services, the malware overlays transparent rectangles on specific screen areas &#8211; particularly over buttons containing substrings like <span style=\"font-family: courier new, courier, monospace;\">stop<\/span>, <span style=\"font-family: courier new, courier, monospace;\">end<\/span>, <span style=\"font-family: courier new, courier, monospace;\">clear<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">Uninstall<\/span>. These overlays are invisible to the user but intercept interactions, making removal difficult. In Figure 11, we\u2019ve run PromptSpy with the debug flag enabled (kept there by developers) that would set the color of the transparent rectangle, to visualize where they are specifically displayed. However, on the actual device, they are fully invisible.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 11. Invisible rectangles (displayed in color for clarity) covering specific buttons\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-11.jpg\" alt=\"Figure 11. Invisible rectangles (displayed in color for clarity) covering specific buttons (1)\" width=\"\" height=\"\"\/><figcaption><em>Figure 11. Invisible rectangles (displayed in color for clarity) covering specific buttons<\/em><\/figcaption><\/figure>\n<p>Because PromptSpy blocks uninstallation by overlaying invisible elements on the screen, the only way for a victim to remove it is to reboot the device into Safe Mode, where third\u2011party apps are disabled and can be uninstalled normally.<\/p>\n<p>To enter Safe Mode, users should typically press and hold the power button, long\u2011press Power off, and confirm the Reboot to Safe Mode prompt (though the exact method may differ by device and manufacturer). Once the phone restarts in Safe Mode, the user can go to Settings \u2192 Apps \u2192 MorganArg and uninstall it without interference.<\/p>\n<h2>Conclusion<\/h2>\n<p>PromptSpy shows that Android malware is beginning to evolve in a sinister way. By relying on generative AI to interpret on\u2011screen elements and decide how to interact with them, the malware can adapt to virtually any device, screen size, or UI layout it encounters. Instead of hardcoded taps, it simply hands AI a snapshot of the screen and receives precise, step\u2011by\u2011step interaction instructions in return, helping it achieve a persistence technique resistant to UI changes.<\/p>\n<p>More broadly, this campaign shows how generative AI can make malware far more dynamic and capable of real\u2011time decision\u2011making. PromptSpy is an early example of generative AI\u2011powered Android malware, and it illustrates how quickly attackers are beginning to misuse AI tools to improve impact.<\/p>\n<blockquote>\n<div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\u00a0<\/em><\/div>\n<div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=promptspy-ushers-in-era-android-threats-using-genai&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\">ESET Threat Intelligence<\/a> page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<p>A comprehensive list of indicators of compromise (IoCs) and samples can be found in <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/promptspy\" target=\"_blank\" rel=\"noopener\">our GitHub repository<\/a>.<\/p>\n<h3>Files<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"179\"><strong>SHA-1<\/strong><\/td>\n<td width=\"113\"><strong>Filename<\/strong><\/td>\n<td width=\"161\"><strong>Detection<\/strong><\/td>\n<td width=\"189\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">6BBC9AB132BA066F6367<wbr\/>6E05DA13D108598BC29B<\/span><\/td>\n<td width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">net.ustexas.<wbr\/>myavlive.apk<\/span><\/td>\n<td width=\"161\">Android\/Spy.VNCSpy.A<\/td>\n<td width=\"189\">Android VNCSpy malware.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">375D7423E63C8F5F2CC8<wbr\/>14E8CFE697BA25168AFA<\/span><\/td>\n<td width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">nlll4.un7o6.<wbr\/>q38l5.apk<\/span><\/td>\n<td width=\"161\">Android\/Spy.VNCSpy.A<\/td>\n<td width=\"189\">Android VNCSpy malware.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">3978AC5CD14E357320E1<wbr\/>27D6C87F10CB70A1DCC2<\/span><\/td>\n<td width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">ppyzz.dpk0p.<wbr\/>ln441.apk<\/span><\/td>\n<td width=\"161\">Android\/Spy.VNCSpy.A<\/td>\n<td width=\"189\">Android VNCSpy malware.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">E60D12017D2DA579DF87<wbr\/>368F5596A0244621AE86<\/span><\/td>\n<td width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">mgappc-1.apk<\/span><\/td>\n<td width=\"161\">Android\/Spy.PromptSpy.A<\/td>\n<td width=\"189\">Android PromptSpy dropper.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">9B1723284E3117949879<wbr\/>97CB7E8814EB6014713F<\/span><\/td>\n<td width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">mgappm-1.apk<\/span><\/td>\n<td width=\"161\">Android\/Spy.PromptSpy.A<\/td>\n<td width=\"189\">Android PromptSpy dropper.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">076801BD9C6EB78FC033<wbr\/>1A4C7A22C73199CC3824<\/span><\/td>\n<td width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">mgappn-0.apk<\/span><\/td>\n<td width=\"161\">Android\/Spy.PromptSpy.A<\/td>\n<td width=\"189\">Android PromptSpy dropper.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">8364730E9BB2CF3A4B01<wbr\/>6DE1B34F38341C0EE2FA<\/span><\/td>\n<td width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">mgappn-1.apk<\/span><\/td>\n<td width=\"161\">Android\/Spy.PromptSpy.A<\/td>\n<td width=\"189\">Android PromptSpy dropper.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">F8F4C5BC498BCCE907DC<wbr\/>975DD88BE8D594629909<\/span><\/td>\n<td width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">app-release.<wbr\/>apk<\/span><\/td>\n<td width=\"161\">Android\/Spy.PromptSpy.A<\/td>\n<td width=\"189\">Android PromptSpy.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">C14E9B062ED28115EDE0<wbr\/>96788F62B47A6ED841AC<\/span><\/td>\n<td width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">mgapp.apk<\/span><\/td>\n<td width=\"161\">Android\/Phishing.Agent.M<\/td>\n<td width=\"189\">Android phishing malware.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Network<\/h2>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"139\"><strong>IP<\/strong><\/td>\n<td width=\"164\"><strong>Domain<\/strong><\/td>\n<td width=\"118\"><strong>Hosting provider<\/strong><\/td>\n<td width=\"79\"><strong>First seen<\/strong><\/td>\n<td width=\"142\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"139\"><span style=\"font-family: courier new, courier, monospace;\">52.222.205[.]45<\/span><\/td>\n<td width=\"164\"><span style=\"font-family: courier new, courier, monospace;\">m-mgarg[.]com<\/span><\/td>\n<td width=\"118\">Amazon.com, Inc.<\/td>\n<td width=\"79\">2026\u201101\u201112<\/td>\n<td width=\"142\">Phishing website.<\/td>\n<\/tr>\n<tr>\n<td width=\"139\"><span style=\"font-family: courier new, courier, monospace;\">54.67.2[.]84<\/span><\/td>\n<td width=\"164\">N\/A<\/td>\n<td width=\"118\">Amazon.com, Inc.<\/td>\n<td width=\"79\">N\/A<\/td>\n<td width=\"142\">C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"139\"><span style=\"font-family: courier new, courier, monospace;\">104.21.91[.]170<\/span><\/td>\n<td width=\"164\"><span style=\"font-family: courier new, courier, monospace;\">mgardownload<wbr\/>[.]com<\/span><\/td>\n<td width=\"118\">Cloudflare, Inc.<\/td>\n<td width=\"79\">2026\u201101\u201113<\/td>\n<td width=\"142\">Distribution website.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 18<\/a> of the MITRE ATT&amp;CK framework.<strong><br \/><\/strong><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"113\"><strong>Tactic<\/strong><\/td>\n<td width=\"113\"><strong>ID<\/strong><\/td>\n<td width=\"151\"><strong>Name<\/strong><\/td>\n<td width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Persistence<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1398\">T1398<\/a><\/td>\n<td width=\"151\">Boot or Logon Initialization Scripts<\/td>\n<td width=\"265\">PromptSpy receives the <span style=\"font-family: courier new, courier, monospace;\">BOOT_COMPLETED<\/span> broadcast intent to activate at device startup.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1541\">T1541<\/a><\/td>\n<td width=\"151\">Foreground Persistence<\/td>\n<td width=\"265\">PromptSpy uses foreground persistence to keep a service running.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Defense Evasion<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1516\">T1516<\/a><\/td>\n<td width=\"151\">Input Injection<\/td>\n<td width=\"265\">PromptSpy abuses the accessibility service to prevent its removal.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Credential Access<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1417\/002\">T1417.002<\/a><\/td>\n<td width=\"151\">Malicious Third Party Keyboard App: GUI Input Capture<\/td>\n<td width=\"265\">PromptSpy can intercept Android lockscreen PIN and password.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Discovery<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1426\">T1426<\/a><\/td>\n<td width=\"151\">System Information Discovery<\/td>\n<td width=\"265\">PromptSpy obtains device name, model, and OS version.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Collection<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1418\">T1418<\/a><\/td>\n<td width=\"151\">Software Discovery<\/td>\n<td width=\"265\">PromptSpy can obtain a list of installed applications.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1513\">T1513<\/a><\/td>\n<td width=\"151\">Screen Capture<\/td>\n<td width=\"265\">PromptSpy can record the screen.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Command and Control<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1663\">T1663<\/a><\/td>\n<td width=\"151\">Remote Access Software<\/td>\n<td width=\"265\">PromptSpy can use VNC to remotely control a compromised device.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1521\/001\">T1521.001<\/a><\/td>\n<td width=\"151\">Standard Cryptographic Protocol: Symmetric Cryptography<\/td>\n<td width=\"265\">PromptSpy encrypts C&amp;C communication using AES.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Exfiltration<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1646\">T1646<\/a><\/td>\n<td width=\"151\">Exfiltration Over C2 Channel<\/td>\n<td width=\"265\">PromptSpy can exfiltrate collected data to the C&amp;C server.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=promptspy-ushers-in-era-android-threats-using-genai&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers uncovered the first known case of Android malware abusing generative AI for context-aware user interface manipulation.<\/p>\n","protected":false},"author":1,"featured_media":64,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-63","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/63","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/comments?post=63"}],"version-history":[{"count":0,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/63\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media\/64"}],"wp:attachment":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media?parent=63"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/categories?post=63"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/tags?post=63"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}