DIGITAL LIFE

PromptSpy: the first Android malware to use generative AI

ESET Research has identified the PromptSpy malware, the first threat to the Android operating system to integrate generative artificial intelligence (AI) into its attack structure. The malicious code uses Google Gemini capabilities to interpret the victim's user interface (UI), allowing for adaptive data capture and evasion of conventional security mechanisms. The discovery, reported in February 2026, signals the evolution of mobile malware towards cognitively capable tools.

Unlike traditional threats that rely on fixed coordinates or static element identifiers, the PromptSpy malware uses language models to understand the visual context of the screen. Through the Google Gemini API, the malware sends screenshots for processing, receiving instructions on where to click or what information to extract from banking, messaging, or email applications.

The main purpose of PromptSpy is to deploy a built-in VNC module, giving operators remote access to the victim’s device. This Android malware also abuses the Accessibility Service to block uninstallation with invisible overlays, captures lockscreen data, records video. It communicates with its C&C server via the VNC protocol, using AES encryption.

Based on language localization clues and the distribution vectors observed during analysis, this campaign appears to be financially motivated and seems to primarily target users in Argentina. Interestingly, analyzed PromptSpy samples suggest that it was developed in a Chinese‑speaking environment.

PromptSpy is distributed by a dedicated website and has never been available on Google Play. As an App Defense Alliance partner, we nevertheless shared our findings with Google. Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services.

This approach allows attackers to bypass layout changes resulting from application updates or the use of different languages ​​and screen resolutions. Generative AI functions as a universal interpreter, making espionage effective across a wide range of devices without the need for manual reconfiguration of malicious source code.

PromptSpy’s AI-powered functionality...Even though PromptSpy uses Gemini in just one of its features, it still demonstrates how incorporating these AI tools can make malware more dynamic, giving threat actors ways to automate actions that would normally be more difficult with traditional scripting.

As was briefly mentioned already, Android malware usually depends on hardcoded screen features such as taps, coordinates, or UI selectors – methods that can break with UI changes across devices, OS versions, or manufacturer skins. PromptSpy aims to achieve persistence by staying embedded in the list of recent apps by executing the “lock app in recent apps” gesture (the full process is described in the Analysis section), which varies between devices and manufacturers. This makes it difficult to automate with fixed scripts traditionally used by Android malware.

PromptSpy therefore takes a completely different approach: it sends Gemini a natural‑language prompt along with an XML dump of the current screen, giving the AI a detailed view of every UI element: its text, type, and exact position on the display.

Gemini processes this information and responds with JSON instructions that tell the malware what action to perform (for example, a tap) and where to perform it. The malware saves both its previous prompts and Gemini’s responses, allowing Gemini to understand context and to coordinate multistep interactions.

The spread of PromptSpy occurs through the use of disguised "droppers" in utility applications, such as image editors or productivity tools distributed outside the Google Play Store. Once installed, the malware requests accessibility permissions, which it uses to monitor user activity and feed the AI ​​engine with real-time data.

To ensure persistence, the threat uses AI to detect attempts to uninstall or revoke permissions. In these cases, the malware intervenes in the interface, preventing the user from completing security actions. Data exfiltration is performed intermittently to avoid traffic spikes that could alert network monitoring tools.

Risks to the Android ecosystem...The introduction of generative AI in malware development reduces the technical barrier to creating sophisticated threats. According to ESET Research, the fact that the PromptSpy malware uses a legitimate tool like Gemini highlights the challenges that technology companies face in monitoring the misuse of artificial intelligence APIs. Protection against this type of malware requires deeper behavioral analysis, focused not only on the code but also on anomalous interactions between applications and external language models.

In the medium term, mobile security will have to evolve to detect the "cognitive signature" of these threats, identifying when an application of dubious origin establishes persistent communications with AI engines for screen analysis purposes.

mundophone