ESET Report: Thousands of Malicious AI Skills Found Abusing AI Agents for Data Theft and Code Execution

Malicious AI Skills Proliferate, Capable of Data Theft and Malware Execution

HIGH
July 8, 2026
5m read
MalwareThreat IntelligenceMobile Security

Related Entities

Organizations

Products & Tech

Other

PromptSpy

Full Report

Executive Summary

The rapid expansion of the Artificial Intelligence (AI) agent ecosystem has introduced a novel and dangerous attack surface. A new report from ESET reveals that threat actors are actively creating and distributing malicious AI 'skills' to compromise users and systems. In an analysis of nearly 900,000 skills, ESET identified over 3,000 as overtly malicious and another 25,000 as suspicious. These skills, which extend the functionality of AI agents, are being weaponized to steal data, execute malware, and inject malicious code. The report also details the discovery of PromptSpy, the first Android malware observed using a generative AI model (Google's Gemini) to enhance its capabilities, signaling a new trend in mobile threats.


Threat Overview

  • Attack Surface: The growing marketplace of AI 'skills' for AI agents.
  • Threat: Malicious skills designed to abuse the permissions and context of AI agents.
  • Scale: Over 3,000 malicious and 25,000 suspicious skills discovered between March and May 2026.
  • Malicious Capabilities: Researchers found skills capable of:
    • Command execution
    • File access and exfiltration
    • Credential loading and theft
    • Code injection and obfuscation
  • Emerging Malware: The report highlights PromptSpy, an Android malware that uses Google's Gemini AI to achieve its objectives.

Technical Analysis

Malicious AI Skills

AI agents (like those from OpenAI, Google, etc.) can have their functionality extended by third-party 'skills' or 'plugins.' Threat actors are creating skills that appear legitimate but contain hidden malicious functionality. When a user enables a malicious skill, they grant it permissions that the attacker can then abuse. For example:

  • A skill that promises to 'summarize your documents' could use its file access permission to secretly exfiltrate all documents it is given access to.
  • A skill that 'integrates with your calendar' could steal authentication tokens for the user's account.
  • A skill with 'command execution' capabilities could be used to download and run malware on the user's machine. This is a form of supply chain attack targeting the AI ecosystem, where trust in a skill's advertised function is exploited (T1195.001 - Compromise Software Supply Chain).

PromptSpy Android Malware

PromptSpy represents a significant evolution in mobile malware. It is the first known Android trojan to incorporate generative AI into its core operations. It uses Google Gemini to:

  1. Interpret Screen Content: PromptSpy takes screenshots of the user's device.
  2. AI Analysis: It sends these screenshots to the Gemini model with a prompt asking it to interpret what is on the screen and suggest actions.
  3. Maintain Persistence: The AI's output is used to generate gestures (taps, swipes) that allow the malware to navigate menus, dismiss warnings, and grant itself additional permissions to ensure it remains active on the device. Its capabilities include intercepting lock-screen PINs, capturing screen activity, exfiltrating data from other apps, and providing full remote access to the attacker.

Impact Assessment

  • New Attack Vector: The proliferation of malicious skills creates a new and difficult-to-defend attack vector. Users may not have the technical knowledge to vet the safety of an AI skill before enabling it.
  • Sophisticated Mobile Malware: The use of AI in malware like PromptSpy can make it more resilient and harder to detect, as it can adapt its behavior based on the on-screen context.
  • Data Privacy Risk: Malicious skills pose a massive data privacy risk, as they can be granted access to emails, documents, calendars, and other sensitive personal and corporate data.

IOCs — Directly from Articles

No specific Indicators of Compromise were provided in the source articles.

Cyber Observables — Hunting Hints

Type
other
Value
Anomalous API calls from AI agents
Description
Monitor outbound API calls made by AI agents or skills to external services. A skill making an unusually high number of calls or sending large amounts of data is suspicious.
Type
log_source
Value
Android device logs
Description
On Android, look for applications that have broad accessibility service permissions and are making frequent network connections to unknown endpoints.
Type
network_traffic_pattern
Value
High volume of traffic to Google Gemini API
Description
A mobile device making an unusually high number of API calls to the Gemini service could be a sign of PromptSpy infection.

Detection & Response

  1. Audit AI Skills: Organizations must establish policies for the use of AI agents and skills. Maintain an allowlist of vetted, approved skills. Security teams should periodically review skills enabled by users.
  2. Mobile Threat Defense (MTD): Deploy MTD solutions on Android devices to detect malware like PromptSpy. These tools can identify applications that abuse accessibility services or exhibit other malicious behaviors.
  3. Data Loss Prevention (DLP): Use DLP tools to monitor and block the exfiltration of sensitive data, which could be triggered by a malicious AI skill.

Mitigation

  1. User Training and Awareness: Educate users about the risks of enabling third-party AI skills. Teach them to be cautious and only use skills from reputable, verified developers. Reference MITRE M1017 - User Training.
  2. Principle of Least Privilege: When enabling any AI skill, users should grant it the absolute minimum permissions necessary for it to function. If a skill's requested permissions seem excessive for its stated purpose, it should not be trusted.
  3. Restrict AI Agent Usage: In high-security environments, consider restricting or banning the use of AI agents with third-party skill marketplaces until better security vetting processes are in place. Reference MITRE M1033 - Limit Software Installation.

Timeline of Events

1
July 8, 2026
This article was published

MITRE ATT&CK Mitigations

Educate users on the risks of third-party AI skills and how to spot requests for excessive permissions.

Establish policies and technical controls to only allow the use of vetted and approved AI skills within the organization.

Mapped D3FEND Techniques:

Use Mobile Threat Defense (MTD) to detect malicious behaviors on Android devices, such as the abuse of accessibility services by malware like PromptSpy.

D3FEND Defensive Countermeasures

To combat the threat of malicious AI skills, organizations should adopt an allowlisting approach. Instead of letting users install any skill from a public marketplace, the IT and security teams should create a curated 'app store' of vetted and approved AI skills. This involves a review process where each skill's developer reputation, requested permissions, and functionality are scrutinized. Only skills that are deemed safe and have a clear business purpose should be added to the allowlist. This technical control prevents users from inadvertently installing malicious skills and significantly reduces the organization's attack surface within the AI ecosystem.

For detecting threats like PromptSpy on mobile devices, User Behavior Analysis (UBA) is key. Mobile Threat Defense (MTD) solutions can baseline a user's normal application usage and device interactions. PromptSpy's use of Gemini to generate gestures and navigate the UI would create a pattern of behavior that is distinctly non-human. The timing, speed, and precision of these automated gestures would deviate from a normal user's interaction. A UBA system could flag this anomalous activity, as well as the application's abuse of Accessibility Services to perform these actions, and alert security teams to a potential compromise even if the malware's signature is unknown.

Sources & References

Thousands of malicious AI skills found capable of stealing data, running malware
Help Net Security (helpnetsecurity.com) July 8, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

AIMalicious SkillsESETPromptSpyAndroidMalwareGoogle Gemini

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.