PromptSpy: First Android Malware Using Gemini AI at Runtime

ESET researchers have discovered what they describe as the first Android malware abusing Google's Gemini AI as part of its execution flow. Codenamed PromptSpy, the malware uses generative AI at runtime to analyze device screens and generate step-by-step instructions for maintaining persistence—a capability that marks a concerning evolution in mobile threats.

The discovery follows months of warnings about AI-powered attack tools. PromptSpy demonstrates that those concerns weren't hypothetical: threat actors have now weaponized commercially available AI services in production malware.

How PromptSpy Weaponizes Gemini

According to ESET's research, PromptSpy uses Gemini to solve a specific problem—keeping the malicious app pinned in Android's recent apps list to prevent removal.

The process works like this:

1. PromptSpy captures the current screen's UI XML layout
2. The malware sends this data to Google's Gemini API with a prompt requesting navigation instructions
3. Gemini analyzes the UI structure and returns JSON-formatted tap/swipe commands
4. PromptSpy executes those commands programmatically
5. The interaction repeats until the app is successfully locked in place

This approach gives the malware adaptability that hard-coded routines can't match. Different Android versions, device manufacturers, and launcher customizations all present different UI layouts. By using Gemini to interpret each screen dynamically, PromptSpy handles variations that would otherwise require extensive device-specific development.

Capabilities Beyond Persistence

Once established, PromptSpy's feature set extends well beyond staying hidden:

• VNC module deployment for complete remote device access
• Lockscreen credential capture through overlay attacks
• Screen recording and screenshot functionality
• Device reconnaissance including installed apps and system info
• Uninstallation blocking to prevent removal

The VNC capability represents the primary goal: granting attackers real-time remote access to infected devices. Combined with credential theft, this enables account takeovers, financial fraud, and access to corporate resources via mobile enterprise apps.

Campaign Origins and Targeting

BleepingComputer reports that ESET tracked two variants. The first, named VNCSpy, appeared on VirusTotal on January 13, 2026, uploaded from Hong Kong. Four more advanced samples—the PromptSpy variants with Gemini integration—were uploaded from Argentina on February 10, 2026.

Language localization clues and observed distribution vectors point toward financially motivated attacks primarily targeting Argentina. The campaign appears to use fake banking or financial apps as lures, consistent with the credential theft and VNC access capabilities.

The AI-Powered Malware Threat

PromptSpy's emergence validates concerns raised throughout 2025 about generative AI weaponization. We've previously covered how infostealers are now targeting AI agent configurations, but PromptSpy represents something different: malware that actively uses AI services to enhance its own capabilities.

The implications extend beyond Android. If threat actors successfully integrate commercial AI APIs into malware, we can expect similar approaches across platforms:

• Windows malware using AI to interpret GUI layouts for persistence
• Automated social engineering where malware crafts contextual phishing messages
• Adaptive evasion where AI suggests techniques based on detected security products

Google's Gemini API is designed for legitimate developer use cases. PromptSpy's abuse highlights the challenge of preventing malicious consumption of AI services that must remain accessible for legitimate applications.

Detection and Protection

Organizations and individuals should consider these defensive measures:

1. Install apps only from Google Play and verified enterprise app stores
2. Enable Play Protect and keep it updated
3. Review accessibility permissions carefully—PromptSpy requires these to interact with UI
4. Monitor for unusual network activity to AI service endpoints
5. Deploy mobile threat defense solutions with behavioral analysis

Enterprise environments should also consider mobile application management (MAM) policies that restrict which apps can access accessibility services—a common requirement for malware that needs to interact with device UI.

Why This Matters

PromptSpy represents a proof of concept that will almost certainly inspire copycats. The technique isn't particularly sophisticated in isolation—it's the combination of accessibility abuse with AI-driven adaptability that creates something new.

For security teams tracking malware evolution, PromptSpy signals that AI integration is no longer theoretical. Threat intelligence should now include monitoring for malware samples making API calls to commercial AI services.

For a broader understanding of how mobile malware operates and how to protect devices, review our malware protection guide covering threat categories and defensive strategies.