PromptSpy: Android Malware Uses Google Gemini AI

PromptSpy is a newly discovered Android malware family that uses Google’s Gemini AI model to make real-time decisions on infected devices.

Instead of using fixed screen coordinates or simple automation rules, PromptSpy sends Gemini a natural-language request along with an XML snapshot of the current screen. This snapshot includes details about visible elements such as text, type, and screen position.

Gemini analyzes the screen content and responds with JSON instructions telling the malware what action to perform — such as tap, long-press, or swipe — and exactly where to do it.

The main goal is persistence. PromptSpy uses this AI-driven method to keep its malicious app pinned in the Recent Apps list, even when the user tries to close it.

The malware runs in a loop. It executes Gemini’s instructions using Android’s Accessibility Service, captures the updated screen, and sends it back to Gemini. This continues until the AI confirms the app is successfully pinned. Because it relies on AI analysis instead of hardcoded rules, it works across different devices, Android versions, and manufacturer customizations.

Security researchers at ESET describe PromptSpy as the first known Android malware to directly integrate generative AI into its execution flow. The focus is stealthy persistence and maintaining control over the device.

Android AI Malware Capabilities

Beyond AI-based persistence, PromptSpy also acts as a powerful remote access tool.

It includes a built-in VNC component that allows attackers to control the infected phone in real time. Once the victim grants Accessibility permissions, attackers can:

• View the device screen live
• Simulate taps and gestures
• Perform actions as if physically holding the phone

The malware can capture lockscreen credentials, gather device information, take screenshots, record screen activity as video, and monitor which app is currently in use.

It communicates with a hardcoded command-and-control server using the VNC protocol, protected by AES encryption. The server can also send a Gemini API key and additional task instructions to the malware.

PromptSpy also actively blocks removal attempts. It abuses Accessibility permissions to place invisible overlays on important system buttons, including those used to uninstall the app or disable its privileges.

These transparent overlays intercept user taps on “Uninstall” or “Stop,” preventing normal removal.

Technical analysis shows that PromptSpy is delivered through a dropper app. The malicious payload (app-release.apk) is embedded inside the dropper’s assets directory.

Campaign Spread and Target Regions

ESET connects PromptSpy to a multi-stage, financially driven campaign mainly targeting users in Argentina.

An earlier variant, VNCSpy, was uploaded from Hong Kong in January 2026. More advanced PromptSpy samples appeared from Argentina in February 2026.

The malware spread through domains such as mgardownload[.]com and m-mgarg[.]com, which imitated JPMorgan Chase branding under the name “MorganArg” using Spanish banking lures.

Analysis of the same infrastructure revealed another Android phishing trojan signed with the same certificate and using the same fake banking site, likely acting as the initial infection stage before deploying PromptSpy.

Although PromptSpy has not appeared widely in ESET telemetry and may still be in limited testing, the active domains confirm some real-world use.

Code findings, including simplified Chinese debug strings and references to Chinese Accessibility events, suggest development in a Chinese-speaking environment, even though current targets are in Latin America.

PromptSpy is not available on Google Play, and Google Play Protect now detects known variants.

This campaign follows ESET’s 2025 discovery of PromptLock, an AI-powered ransomware prototype, highlighting the growing use of generative AI in malware operations.

IOCs

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!