Cybersecurity company ESET has discovered PromptSpy, the first known Android malware to exploit generative AI in its execution stream to ensure persistence. ESET named this family PromptSpy because attackers rely on using an AI model (specifically Google’s Gemini model) to direct malicious UI manipulation.
The malware can capture lock screen data, block uninstallation attempts, collect device information, take screenshots, and record screen activity as video. ESET researchers discovered PromptLock, the first known AI-powered ransomware, in August 2025. PromptSpy is the second AI-powered malware discovered by ESET Research.
Based on language localization cues and distribution vectors observed during analysis, this campaign appears to be financially motivated and primarily targets users in Argentina. However, PromptSpy has not yet been observed in ESET telemetry, suggesting it is likely a proof-of-concept. Although generative AI is used in a relatively small section of PromptSpy’s code (the part responsible for ensuring persistence), it has a significant impact on the malware’s adaptability. Specifically, Gemini is used to provide PromptSpy with step-by-step instructions to “lock” the malicious application in the recent applications list (typically represented by a padlock icon in most Android launcher multitasking views), thus preventing the application from being easily deleted or closed by the system. The AI model and the command prompt are predefined in the code and cannot be modified.
Lukáš Štefanko, the ESET researcher who discovered PromptSpy, stated: “Since Android malware often relies on UI-based navigation, using generative AI allows threat actors to adapt to virtually any device, layout, or operating system version, which can greatly increase the potential victim pool. The primary goal of PromptSpy is to deploy an embedded VNC module that allows operators to remotely access the victim’s device. This Android malware also exploits Accessibility Services to prevent removal with invisible overlays, captures lock screen data, and records screen activity as video. It communicates with the Command and Control server via AES encryption.”
PromptSpy is distributed through a dedicated website and was never found on Google Play. However, ESET, a partner in the App Defense Alliance, shared its findings with Google. Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services.
Lukáš Štefanko stated that while he only used PromptSpy Gemini in one feature, it demonstrated how the implementation of these tools can make malware more dynamic and provide threat actors with ways to automate actions that would normally be more difficult with traditional scripting.
The application’s name is MorganArg, and its icon appears to be inspired by Morgan Chase, suggesting that this malware likely impersonates Morgan Chase bank. MorganArg is likely an abbreviation for “Morgan Argentina,” and it also appears as the name of the cached website, suggesting a regional targeting focus.
Since PromptSpy prevents its removal by placing invisible elements on the screen, the only way for the victim to remove it is to restart the device in Safe Mode. In Safe Mode, third-party applications are disabled and can be uninstalled normally. To enter Safe Mode, users typically need to hold down the power button, long-press Power Off, and confirm the Restart in Safe Mode command (however, the exact method may vary depending on the device and manufacturer). When the phone is restarted in Safe Mode, the user can go to Settings → Applications → MorganArg and uninstall it without blocking.