PromptSpy: Android Malware Leverages Google Gemini AI for Persistence
A latest Android malware strain, dubbed PromptSpy, is making waves in the cybersecurity world as the first known instance of malware utilizing generative AI – specifically, Google’s Gemini – during its execution. Discovered by ESET researchers in February 2026, PromptSpy demonstrates a significant evolution in mobile threats, moving beyond traditional scripting to incorporate dynamic, AI-driven adaptability.
How PromptSpy Works: AI-Powered Persistence
Unlike conventional malware with fixed instructions, PromptSpy leverages Gemini to analyze the user interface of the infected device in real-time. This allows it to receive tailored instructions to achieve its objectives, primarily persistence – ensuring the malware remains active even after reboots or attempts at removal. The malware sends Gemini an XML dump of the screen, detailing UI elements, their text, type, and position. Gemini then responds with JSON instructions guiding PromptSpy on actions like taps and swipes.
“Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system,” explains Lukáš Štefanko, an ESET researcher. The Hacker News. This ability to adapt to different Android versions and manufacturer interfaces significantly expands the potential victim pool.
Beyond Persistence: A Multifaceted Threat
PromptSpy’s capabilities extend beyond simply staying active. It’s equipped with a range of malicious functionalities, including:
- Remote Access: Deployment of a Virtual Network Computing (VNC) module grants attackers complete remote control of the compromised device. ESET
- Data Capture: Interception of lockscreen data, potentially compromising PIN codes or notification content.
- Screen Monitoring: Taking screenshots and recording screen activity as video.
- Information Gathering: Collecting device information such as model, system version, and installed applications.
- Uninstallation Blocking: Preventing removal attempts through the use of invisible overlays on the screen. SecurityWeek
Targeted Campaign and Distribution
Based on language localization clues and distribution methods, the PromptSpy campaign appears to be financially motivated and primarily targets users in Argentina. The malware is currently spread through fake banking applications, specifically an app called MorganArg, disguised as a legitimate JPMorgan Chase bank application. ESET
Notably, PromptSpy has not yet been observed in ESET telemetry or on the Google Play Store, suggesting it may still be in a prototype or early deployment phase. However, ESET has shared its findings with Google, and Play Protect is now actively defending against all known variants.
A Growing Trend: AI-Powered Malware
PromptSpy isn’t an isolated incident. ESET previously identified PromptLock, the first AI-driven ransomware, in August 2025. ESET Google has also detected other malware leveraging Gemini in real-time during intrusions, such as PromptFlux. This indicates a concerning trend of cybercriminals increasingly utilizing generative AI to enhance the sophistication and effectiveness of their attacks.
Key Takeaways
- PromptSpy is the first known Android malware to actively use generative AI (Google Gemini) during its operation.
- The malware utilizes Gemini to adapt to different device interfaces and maintain persistence.
- PromptSpy possesses a wide range of malicious capabilities, including remote access, data capture, and uninstallation blocking.
- The campaign currently targets users in Argentina, distributed through fake banking applications.
- This represents a growing trend of AI-powered malware, demanding increased vigilance and robust security measures.