The Perfect Imposter: Why Your Go-To Finance App Might Be a Dangerous Fake

According to the security software company ESET, researchers have discovered an Android malware that disguises itself as a banking app and is distributed under the name “MorganArg”. It is a fake version of the Chase/JPMorgan app. The malware PromptSpy cleverly disguises itself this way. It is not distributed through official app stores but via fake websites. Observations to date show it primarily targets users in Argentina, but the malware can be used anywhere.

Why AI is More Than Just a Buzzword Here

Once the app is installed and active, it is supposed to put the smartphone under the attacker’s control. Among other things, ESET shows a live view of the screen, reads inputs, intercepts the lock code, and carries out actions remotely. Practically speaking, attackers can behave as if they were using your device directly. This includes access to apps, messages, and potentially, banking functions.

According to ESET, the crucial point is not just remote access, but the way the malware cleverly weaves itself into the operating system. Instead of working with fixed, pre-programmed click sequences, PromptSpy is supposed to transfer the current screen content to Google’s AI model Gemini. Gemini then analyzes the interface like a human and provides step-by-step instructions on which button to press, ensuring the app stays open and active.

ESET researcher Lukas Stefanko described the principle as follows: The malware lets the AI explain what to do next. This advantage for criminals is obvious: if the instructions are derived from the current screen, the malicious code does not have to be precisely tailored to individual manufacturer interfaces or Android versions. In this context, ESET also referred to an earlier discovery: “PromptLock”, an AI-supported ransomware, was discovered in August 2025. PromptSpy would therefore be the next step towards “adaptable” malware.

How You Can Most Likely Recognize the Danger

The disguise as a banking app targets a typical reflex: quick installation, quick login, fast approvals. It becomes particularly critical when an app requests permissions for accessibility features. These functions are meant for everyday support but can enable very far-reaching interventions. According to ESET, they are regularly misused by Android malware.

ESET also mentioned a specific trick designed to make its removal more difficult: Invisible elements can block buttons. This fits with the aim of preventing the victim from stopping or uninstalling the app when in doubt.

The most important form of protection remains banal but effective: Only install apps from official sources such as Google Play. Do not download any alleged banking apps from “special sites”. Especially if they look professional. If you suspect that your device has been compromised, ESET recommends restarting it in safe mode. In this state, many apps remain inactive, making it easier to remove malicious applications. In addition, if Google Play Protect is activated, Android devices should be protected against known versions of the described malware.