See also: How 72% of companies are rewriting their cyber resilience handbooks

Security firm Eset named the malware “PromptSpy.” description This is an early example of GenAI being integrated directly into operational Android malware to adapt to the device environment and resist removal.

Researchers identified malware within Android app packages uploaded to VirusTotal. Eset said it has not detected PromptSpy in its product telemetry and has not seen widespread real-world deployment. However, technical designs demonstrate how threat actors are experimenting with AI models to overcome traditional limitations in mobile malware automation.

This discovery follows Eset’s August 2025 disclosure “PromptLock” is a GenAI-driven ransomware strain that dynamically generates encryption routines and embeds a large locally hosted language model to support malicious code at runtime, rather than relying on fully precompiled binaries.

PromptSpy’s key innovation focuses on how you interact with the Android user interface. Instead of relying on hard-coded screen coordinates or static automation scripts, which often fail, the malware captures an XML dump of the user’s active screen, including text labels, class types, and on-screen coordinates. Send this structured data to Gemini.

The model returns JSON-formatted instructions that identify the interface element to tap or interact with. PromptSpy performs these actions locally, retrieves the updated screen state, and repeats the process until persistence is achieved.

After installation, the malware attempts to obtain the following information: AccessibilityService This is a high-risk Android feature that almost every Android Trojan ever coded will try to trick you into allowing (see below) Massiv Attack: Android Trojan Targets IPTV Users).

Researchers say the malware includes anti-delete functionality. It overlays invisible interface elements over buttons containing substrings such as “Stop,” “Exit,” “Clear,” and “Uninstall,” interfering with user interactions and blocking standard removal attempts. The only reliable removal method is to restart your device in safe mode where third-party apps cannot interfere. Other observed features include collecting device information, uploading a list of installed applications, capturing the lock screen PIN, recording unlock patterns as a video, reporting the status of foreground apps, and capturing screenshots.

Eset traced the PromptSpy sample to an independent website impersonating JPMorgan Chase under the name MorganArg, suggesting the campaign was targeting users in Argentina. Researchers also observed Chinese strings within the codebase, indicating that development may be tied to Chinese-speaking environments. This activity was not attributed to any known threat group.