The rapid expansion of the Artificial Intelligence (AI) agent ecosystem has introduced a novel and dangerous attack surface. A new report from ESET reveals that threat actors are actively creating and distributing malicious AI 'skills' to compromise users and systems. In an analysis of nearly 900,000 skills, ESET identified over 3,000 as overtly malicious and another 25,000 as suspicious. These skills, which extend the functionality of AI agents, are being weaponized to steal data, execute malware, and inject malicious code. The report also details the discovery of PromptSpy, the first Android malware observed using a generative AI model (Google's Gemini) to enhance its capabilities, signaling a new trend in mobile threats.
AI agents (like those from OpenAI, Google, etc.) can have their functionality extended by third-party 'skills' or 'plugins.' Threat actors are creating skills that appear legitimate but contain hidden malicious functionality. When a user enables a malicious skill, they grant it permissions that the attacker can then abuse. For example:
T1195.001 - Compromise Software Supply Chain).PromptSpy represents a significant evolution in mobile malware. It is the first known Android trojan to incorporate generative AI into its core operations. It uses Google Gemini to:
No specific Indicators of Compromise were provided in the source articles.
Anomalous API calls from AI agentsAndroid device logsHigh volume of traffic to Google Gemini APIEducate users on the risks of third-party AI skills and how to spot requests for excessive permissions.
Establish policies and technical controls to only allow the use of vetted and approved AI skills within the organization.
To combat the threat of malicious AI skills, organizations should adopt an allowlisting approach. Instead of letting users install any skill from a public marketplace, the IT and security teams should create a curated 'app store' of vetted and approved AI skills. This involves a review process where each skill's developer reputation, requested permissions, and functionality are scrutinized. Only skills that are deemed safe and have a clear business purpose should be added to the allowlist. This technical control prevents users from inadvertently installing malicious skills and significantly reduces the organization's attack surface within the AI ecosystem.
For detecting threats like PromptSpy on mobile devices, User Behavior Analysis (UBA) is key. Mobile Threat Defense (MTD) solutions can baseline a user's normal application usage and device interactions. PromptSpy's use of Gemini to generate gestures and navigate the UI would create a pattern of behavior that is distinctly non-human. The timing, speed, and precision of these automated gestures would deviate from a normal user's interaction. A UBA system could flag this anomalous activity, as well as the application's abuse of Accessibility Services to perform these actions, and alert security teams to a potential compromise even if the malware's signature is unknown.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.