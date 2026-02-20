ESET researchers have identified an Android malware implant that uses generative AI (GenAI) for persistence purposes.

This malicious implant is an advanced version of VNCSpy, a piece of malware that appeared on VirusTotal in January 2026 and was represented by three samples uploaded from Hong Kong.

VCNSpy is an Android malware implant that deploys a virtual network computing (VNC) module on the victim's device, allowing attackers to see the screen and perform actions remotely.

VNC modules are components of screen-sharing technology that enables remote control of another computer using the remote frame buffer (RFB) protocol.

In February, ESET researchers identified four new malware samples uploaded to VirusTotal from Argentina. Their analysis revealed multistage malware based on VNCSpy but with a malicious payload that leverages Google’s Gemini to analyze the targeted device’s screen and provide the operator with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system.

The researchers have named the malware implant PromptSpy.

Based on the presence of Simplified Chinese elements in the code, ESET assessed “with medium confidence” that PromptSpy was developed in a Chinese‑speaking environment.

While the security firm noted it hasn’t yet seen any samples of PromptSpy in its telemetry, the existence of a possible distribution domain could suggest the malware has been deployed in the wild.

Malicious App Impersonating JPMorgan Argentina

The four PromptSpy dropper samples were distributed through the website mgardownload[.]com, which was already offline during ESET’s analysis.

After installing and launching PromptSpy dropper, it opened a webpage hosted on m‑mgarg[.]com.

“Although this domain was also offline, Google’s cached version revealed that it likely impersonated a Chase Bank (legally, JPMorgan Chase Bank N.A.),” wrote the ESET researchers in a report published on February 19.

Additionally, the malicious Android app distributing PromptSpy is called ‘MorganArg,’ which suggests it purports to be ‘Morgan Argentina.’ The app’s icon is inspired by Chase bank.

The malicious app is linked to a spoofed Spanish website, with an “Iniciar session” (Login) button, indicating that the page was probably intended to mimic a bank website.

The MorganArg app is a trojan that functions as a companion application developed by the same threat actor behind VNCSpy and PromptSpy.

In the background, the trojan contacts its server to request a configuration file, which includes a link to download another Android package kit (APK) – the file format for Android applications – presented to the victim, in Spanish, as an update.