Her researchers ESET they discovered This makes it a perfect choice for people with diabetes and for those who want to lose weight or follow a balanced diet. PromptSpy, το πρώτο γνωστό κακόβουλο λογισμικό για Android που εκμεταλλεύεται τη γενετική τεχνητή νοημοσύνη (Generative AI) στη ροή εκτέλεσής του. Πρόκειται για την πρώτη καταγεγραμμένη περίπτωση όπου η γενετική τεχνητή νοημοσύνη χρησιμοποιείται με αυτόν τον τρόπο σε κακόβουλο λογισμικό. Οι επιτιθέμενοι βασίζονται σε προτροπές προς ένα μοντέλο τεχνητής νοημοσύνης (συγκεκριμένα το Gemini της Google) για την κακόβουλη χειραγώγηση της διεπαφής χρήστη. Για το λόγο αυτό, η ESET ονόμασε τη συγκεκριμένη οικογένεια κακόβουλου λογισμικού PromptSpy.
Το κακόβουλο λογισμικό μπορεί να καταγράψει δεδομένα από την οθόνη κλειδώματος, να εμποδίσει προσπάθειες απεγκατάστασης, να συλλέξει πληροφορίες για τη συσκευή, να λάβει στιγμιότυπα οθόνης, να καταγράψει τη δραστηριότητα της οθόνης σε μορφή βίντεο και πολλά άλλα. αυτό είναι το δεύτερο κακόβουλο λογισμικό που εντοπίζει η ESET Research και βασίζεται στην τεχνητή νοημοσύνη, μετά το PromptLock τον Αύγουστο του 2025, την πρώτη γνωστή περίπτωση ransomware that utilized artificial intelligence.
Based on language localization evidence and distribution channels identified during the analysis, the campaign appears to be financially motivated and primarily targets users in Argentina. However, PromptSpy has not yet been recorded in ESET telemetry, suggesting that this may be a proof of concept.
Although genetic AI is used only in a relatively small part of PromptSpy’s code – specifically in the part that deals with achieving resilience – its contribution is crucial to the malware’s adaptability. Specifically, Gemini is used to provide PromptSpy with detailed instructions on how to “lock” the malicious application, i.e. pin it to the list of recent applications (often represented by a padlock icon in the multitasking view of many Android launchers), thus preventing it from being easily deleted or terminated from the system. The AI model and the associated prompt are predefined in the code and cannot be modified.
“Since Android malware often relies on user interface navigation, leveraging genetic AI allows attackers to adapt to almost any device, layout, or OS version, which can significantly increase the number of potential victims,” says ESET researcher Lukáš Štefanko, who discovered PromptSpy.
“The main purpose of PromptSpy is to deploy an embedded VNC module, which provides operators with remote access to the victim’s device. This Android malware also abuses Accessibility Services to prevent its uninstallation via invisible overlays. It also records lock screen data and screen activity in video format, while communicating with the Command & Control server via AES encryption,” adds Štefanko.
PromptSpy is distributed via a dedicated website and has never been available on Google Play. As a partner of the App Defense Alliance, ESET shared its findings with Google. Android users are automatically protected from known versions of this malware through Google Play Protect, which is enabled by default on Android devices with Google Play Services.
“Although PromptSpy uses Gemini in only one of its functions, it demonstrates how leveraging such tools can make malware more powerful, giving attackers the ability to automate actions that would normally be more difficult to implement,” concludes Štefanko.
Data shows that AI Overviews have ruined the update
With the app’s name MorganArg and its icon seemingly inspired by Morgan Chase, the malware is likely impersonating the bank. MorganArg, likely an abbreviation for “Morgan Argentina,” also appears as the name of the cached website, suggesting a focus on a specific geographic region.
Because PromptSpy prevents uninstallation by overlaying invisible elements on the screen, the only way to remove it is to restart the device in safe mode. In safe mode, third-party applications are disabled, allowing them to be uninstalled normally.
To enter safe mode, users typically need to press and hold the power button, then long-press the power off option, and confirm the prompt to reboot into safe mode. The exact process may vary depending on the device and manufacturer. After the phone reboots into safe mode, the user can go to Settings → Apps → MorganArg and uninstall it without any hassle.
