ESET discovers first Android malware to use generative AI
Cybercriminals have crossed a technological threshold: for the first time, Android malware is using generative AI on the fly to embed itself in infected devices and take control of them. Researchers at European IT security company ESET have discovered new Android malware that uses Google Gemini to protect itself from being shut down and remain active on the device permanently.
The malware, called PromptSpy, disguises itself as the banking app ‘MorganArg’ (a fake version of the Chase/JPMorgan app) and is distributed via fake websites. So far, the campaign has primarily targeted users in Argentina, but the technology can be used globally. Once installed, it takes almost complete control of the device. Attackers can monitor the screen live, read inputs, intercept the lock code and perform actions as if they were holding the smartphone themselves.
AI analyses the screen like a human
What is particularly new is the way the malware embeds itself in the system. Instead of working with rigid commands, it transfers the current screen content to Google’s Gemini AI model. This analyses the interface and provides step-by-step instructions on which buttons to press so that the app cannot be closed.
‘The malware lets the AI tell it what to do next,’ says Lukáš Štefanko from ESET Research. ‘This allows it to work on almost any device, regardless of manufacturer or Android version. That makes it particularly adaptable.’ Following the discovery of the AI-powered ransomware PromptLock in August 2025, this is already the second case in which attackers have integrated generative AI so deeply into malicious code in order to overcome technical hurdles.
Complete access to the smartphone
Once the app is active, it installs a remote control module. Criminals can then view the screen, read messages, open apps, initiate transfers or steal passwords. Even removal is made difficult because invisible elements block certain buttons.
‘We are seeing a new quality of Android malware here,’ explains Štefanko. ‘AI is not just being used as a buzzword, but is actually being used to circumvent protective mechanisms.’ There are indications that the developers are working in a Chinese-speaking environment. The application was not available in the official app stores.
How users can protect themselves
- It remains vitally important to only install apps from official sources such as Google Play and not to download applications from unknown websites. Users should be particularly wary if an app requests additional permissions for accessibility features. These so-called ‘accessibility’ functions allow extensive access to the device and are often misused by malware.
- Regular system updates also significantly reduce the risk. If you suspect that your device has been compromised, you should restart it in safe mode. In this state, malicious applications can usually be removed because they are not active.
- Android devices with Google Play Protect enabled are protected against known versions of the malware.
ESET publishes further technical details and screenshots on its security blog WeLiveSecurity (https://www.welivesecurity.com/de/eset-research/promptspy-lautet-mit-genai-die-ara-der-android-bedrohungen-ein).
