PromptSpy Android Malware Taps Gemini AI to Adapt Across Devices and Evade Removal

This Android Malware Connects to Google Gemini for Tips on Hacking Targets

Security researchers have uncovered an Android malware that connects to Google's Gemini chatbot to help it persist on an infected device. The malware appears to be targeting users in Argentina, and there are signs that a hacker in China developed its code, according to antivirus provider ESET. "We discovered the first known Android malware to abuse generative AI in its execution flow," adds ESET researcher Lukas Stefanko. The malware has been dubbed "PromptSpy" because it sends predefined prompts to Gemini's API, ultimately installing a module that allows hacker-enabled remote access to the Android device. ESET says the Gemini component of the malware is relatively minor, but it performs an important function by leveraging Google's chatbot tech to interpret the user interface on an infected Android device. "Specifically, Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system," ESET wrote in the report. "Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims." The company traced the malware to a phishing site at "m-mgarg[.]com," which appeared to be delivering PromptSpy through a related domain "mgardownload[.]com." Both domains were found offline. However, ESET spotted evidence that sites were dressed up to impersonate the JPMorgan Chase Argentina banking brand. "The malware uses similar branding, with the app name MorganArg and the icon inspired by Chase Bank," the company added. " MorganArg, likely a shorthand for 'Morgan Argentina,' also appears as the name of the cached website, suggesting a regional targeting focus." ESET discovered PromptSpy after samples of the malware were uploaded from Argentina to Google's malware-checking service, VirusTotal, earlier this month. The first stage of the attack prompts the user to grant permission to install the malicious app MorganArg. If permission is granted, the attack will then contact a hacker-controlled server to install the remaining malware. This includes a Virtual Networking Computing module while requesting Accessibility Service permissions, enabling the hacker's remote access to the Android device. "This allows the malware operators to see everything happening on the device, and to perform taps, swipes, gestures, and text input as though they were physically holding the phone," ESET says, noting the malware can also intercept the lockscreen PIN and record the user's screen. Removing the malware is difficult. PromptSpy has been designed to overlay "transparent rectangles on specific screen areas" that are invisible to the user and can block taps on the uninstall and force stop functions to shut down the MorganArg app. "The only way for a victim to remove it is to reboot the device into Safe Mode, where third‑party apps are disabled and can be uninstalled normally," ESET said. The computer code for PromptSpy also contains Chinese language, suggesting a hacker from China was behind its creation. "It should be noted that we haven't yet seen any samples of the PromptSpy dropper or its payload in our telemetry, which might indicate that both of them are just proofs of concept," ESET said. Still, the phishing site m-mgarg[.]com suggests that PromptSpy may already have been targeting select users in Argentina. PromptSpy is the latest malware attack to harness generative AI. In November, Google warned about two Windows-based malware strains dubbed "Promptflux" and "Promptsteal" that will also connect to generative AI models to execute instructions. In addition, Anthropic recently discovered hackers using its Claude AI chatbot to help plan large-scale data extortion campaigns and to develop ransomware. ESET adds that it never found the PromptSpy malware on the Google Play Store. "As an App Defense Alliance partner, we nevertheless shared our findings with Google. Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services." Google didn't immediately respond to a request for comment. But the company has likely revoked the malware's access to Gemini.

Android malware taps Gemini to navigate infected devices

Cybersecurity researchers say they've spotted the first Android malware strain that uses generative AI to improve performance once installed. But it may be only a proof of concept. ESET calls it PromptSpy, malware whose primary goal is to deploy a VNC module that hands hackers remote control of infected devices. The Slovak security shop's experts said PromptSpy comes with capabilities to instruct Google's Gemini chatbot to interpret parts of the device's user interface using natural language prompts. These prompts allow the malware to examine the user interface, which then informs the gestures it needs to execute on the device in order to keep the malicious app pinned to its recent apps list. Lukas Stefanko, malware researcher at ESET, said the use of GenAI amounts to only a small portion of the malware's toolkit, but allows it to adapt to different devices. "The AI model and prompt are predefined in the code and cannot be changed," he wrote. "Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims." Android malware usually relies on taps, coordinates, and UI selectors to execute tasks, but these have a tendency to break when running on different devices, which makes the use of Gemini a clever way to bypass this common issue. PromptSpy submits a natural language prompt to Gemini, together with an XML dump of the device's current screen, and the chatbot returns JSON instructions for what action to perform and where to perform it to keep the app pinned in the user's recents list. This process repeats until Gemini tells PromptSpy that the app is in position. ESET found versions of PromptSpy uploaded to VirusTotal in January, with the Gemini-assisted strains submitted from Argentina. Analysis of the app's code suggests it was developed by Chinese speakers to assist financially motivated cybercriminals. Stefanko said PromptSpy has not yet appeared in any of ESET's telemetry findings, suggesting it remains a proof of concept. However, the team found what appears to be a distribution domain, which could suggest it is being used to support real-world attacks. The domains ESET investigated are now offline, but cached versions revealed they were likely trying to imitate a Chase Bank website. PromptSpy is not on the Google Play Store, and given Google's recent clampdown on sideloading apps, it's unclear how the attackers planned to get the app loaded onto devices. Once installed, the app can intercept lockscreen PINs or passwords, capture the pattern unlock screen as a video, record the screen and user's gestures, and take screenshots in addition to the Gemini interactions. It also works to prevent the user from uninstalling the app or force-quitting it by placing transparent boxes over screen elements. The boxes are invisible to the user, who would press the button's location on the screen, only for nothing to happen. The only way to uninstall it is to reboot the device in safe mode, where third-party apps are blocked, and then go through the usual uninstall routine. "PromptSpy shows that Android malware is beginning to evolve in a sinister way," said Stefanko. "By relying on generative AI to interpret on‑screen elements and decide how to interact with them, the malware can adapt to virtually any device, screen size, or UI layout it encounters. "More broadly, this campaign shows how generative AI can make malware far more dynamic and capable of real‑time decision‑making. PromptSpy is an early example of generative AI‑powered Android malware, and it illustrates how quickly attackers are beginning to misuse AI tools to improve impact." The finding follows ESET's work to unearth PromptLock, which it says is the first AI-powered ransomware payload. As revealed in an interview with The Register, PromptLock's code was uploaded by the developers to VirusTotal, only to check if it would get past modern defense mechanisms. A team of engineers at New York University worked up the code as part of a research project they hoped would land them a speaking spot at security conferences. The binary stayed in VirusTotal for some time before ESET found it. Bemused when the news reports circulated following ESET's blog post outlining PromptLock, the NYU students contacted the Slovak security company to say that the malware was just a proof of concept. Md Raz, one of the students and doctoral candidates behind PromptLock, "couldn't believe it" when he realized that people were writing about his work. After receiving Raz et al's message, ESET updated a Xeet to note that its finding was a mere research project, one that wouldn't function outside of a lab. "This supports our belief that it was a proof of concept rather than fully operational malware deployed in the wild," the company said. "Nonetheless, our findings remain valid - the discovered samples represent the first known case of AI-powered ransomware." ®

PromptSpy is the first Android malware to use generative AI at runtime

Researchers have discovered the first known Android malware to use generative AI in its execution flow, using Google's Gemini model to adapt its persistence across different devices. In a report today, ESET researcher Lukas Stefanko explains how a new Android malware family named "PromptSpy" is abusing the Google Gemini AI model to help it achieve persistence on infected devices. "In February 2026, we uncovered two versions of a previously unknown Android malware family," explains ESET. "The first version, which we named VNCSpy, appeared on VirusTotal on January 13th, 2026 and was represented by three samples uploaded from Hong Kong. On February 10th, 2026, four samples of more advanced malware based on VNCSpy were uploaded to VirusTotal from Argentina." While machine learning models have previously been used by Android malware to analyze screenshots for ad fraud, ESET says that PromptSpy is the first known case of Android malware integrating generative AI directly into its execution. On some Android devices, users can "lock" or "pin" an app in the Recent Apps list by long-pressing it and selecting a lock option. When an app is locked this way, Android is less likely to terminate it during memory cleanup or when the user taps "Clear all." For legitimate apps, this prevents background processes from being killed. For malware like PromptSpy, it can serve as a persistence mechanism. However, the method used to lock or pin an app varies between manufacturers, making it hard for malware to script the right way to do so on every device. That is where AI comes into play. PromptSpy sends Google's Gemini model a chat prompt along with an XML dump of the current screen, including the visible UI elements, text labels, class types, and screen coordinates. Gemini then responds with JSON-formatted instructions describing the action to take on the device to pin the app. The malware executes the action through Android's Accessibility Service, retrieves the updated screen state, and sends it back to Gemini in a loop until the AI confirms that the app has been successfully locked in the recent apps list. "Even though PromptSpy uses Gemini in just one of its features, it still demonstrates how incorporating these AI tools can make malware more dynamic, giving threat actors ways to automate actions that would normally be more difficult with traditional scripting," explains ESET. While the use of an AI LLM for run-time changes to behavior is novel, PromptSpy's primary functionality is to act as spyware. The malware includes a built-in VNC module that allows the threat actors to gain full remote access to devices with Accessibility permissions are granted. Using this access, the threat actors can view and control the Android screen in real time. According to ESET, the malware can: To make removal harder, when users attempt to uninstall the app or turn off Accessibility permissions, the malware overlays transparent, invisible rectangles over UI buttons that display strings like "stop," "end," "clear," and "Uninstall." When a user taps the button to stop or uninstall the app, they will instead tap the invisible button, which blocks removal. Stefanko says that victims must reboot into Android Safe Mode so that third-party apps are disabled and cannot block the malware's uninstall. ESET told BleepingComputer that it has not yet observed PromptSpy or its dropper in its telemetry, so it is unclear whether the malware is a proof-of-concept. "We haven't seen any signs of the PromptSpy dropper or its payload in our telemetry so far, which could mean they're only proofs of concept," Stefanko told BleepingComputer. However, as VirusTotal indicates that several samples were previously distributed via the dedicated domain mgardownload[.]com and used a web page on m-mgarg[.]com to impersonate JPMorgan Chase Bank, it may have been used in actual attacks. "Still, because there appears to be a dedicated domain that was used to distribute them, and fake bank website, we can't rule out the possibility that both the dropper and PromptSpy are or were in the wild," Štefanko added. While the distribution of this malware appears very limited, it demonstrates how threat actors are using generative AI to not only create attacks and phishing sites, but also to modify malware behavior in real time. Earlier this month, Google Threat Intelligence reported that state-sponsored hackers are also using Google's Gemini AI model to support all stages of their attacks, from reconnaissance to post-compromise actions.

PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence

Cybersecurity researchers have discovered what they say is the first Android malware that abuses Gemini, Google's generative artificial intelligence (AI) chatbot, as part of its execution flow and achieves persistence. The malware has been codenamed PromptSpy by ESET. The malware is equipped to capture lockscreen data, block uninstallation efforts, gather device information, take screenshots, and record screen activity as video. "Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system," ESET researcher Lukáš Štefanko said in a report published today. "Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims." Specifically, this involves hard-coding the AI model and a prompt in the malware, assigning the AI agent the persona of an "Android automation assistant." It sends Gemini a natural language prompt along with an XML dump of the current screen that gives detailed information about every UI element, including its text, type, and exact position on the display. Gemini then processes this information and responds with JSON instructions that tell the malware what action to perform (e.g., a tap) and where to perform it. The multi-step interaction continues until the app is successfully locked in the recent apps list and cannot be terminated. The main goal of PromptSpy is to deploy a built-in VNC module that grants the attackers remote access to the victim's device. The malware is also designed to take advantage of Android's accessibility services to prevent it from being uninstalled using invisible overlays. It communicates with a hard-coded command-and-control (C2) server ("54.67.2[.]84") via the VNC protocol. It's worth noting that the actions suggested by Gemini are executed through accessibility services, allowing the malware to interact with the device without user input. All of this is accomplished by communicating with the C2 server to receive the Gemini API key, take screenshots on demand, intercept lockscreen PIN or password, record screen, and capture the pattern unlock screen as a video. An analysis of the language localization clues and the distribution vectors used suggests that the campaign is likely financially motivated and targets users in Argentina. Interestingly, evidence shows that PromptSpy was developed in a Chinese‑speaking environment, as indicated by the presence of debug strings written in simplified Chinese. "PromptSpy is distributed by a dedicated website and has never been available on Google Play," Štefanko said. PromptSpy is assessed to be an advanced version of another previously unknown Android malware called VNCSpy, samples of which were first uploaded to the VirusTotal platform last month from Hong Kong. The website, "mgardownload[.]com," is used to deliver a dropper, which, when installed and launched, opens a web page hosted on "m-mgarg[.]com." It masquerades as JPMorgan Chase, going by the name "MorganArg" in reference to Morgan Argentina. The dropper also instructs victims to grant it permissions to install apps from unknown sources to deploy PromptSpy. "In the background, the Trojan contacts its server to request a configuration file, which includes a link to download another APK, presented to the victim, in Spanish, as an update," ESET said. "During our research, the configuration server was no longer accessible, so the exact download URL remains unknown." The findings illustrate how threat actors are incorporating AI tools into their operations and make malware more dynamic, giving them ways to automate actions that would otherwise be more challenging with conventional approaches. Because PromptSpy prevents itself from being uninstalled by overlaying invisible elements on the screen, the only way for a victim to remove it is to reboot the device into Safe Mode, where third‑party apps are disabled and can be uninstalled. "PromptSpy shows that Android malware is beginning to evolve in a sinister way," ESET said. "By relying on generative AI to interpret on‑screen elements and decide how to interact with them, the malware can adapt to virtually any device, screen size, or UI layout it encounters." "Instead of hardcoded taps, it simply hands AI a snapshot of the screen and receives precise, step‑by‑step interaction instructions in return, helping it achieve a persistence technique resistant to UI changes."

Android malware is now using Google's own Gemini AI to adapt in real time

It's been a worrying week on the Android malware front. On Tuesday, we learned of tablets shipping with hidden malware already embedded in their firmware. Now, researchers say they've spotted something arguably more futuristic: Android malware that uses Google's own Gemini AI model during execution. According to a report highlighted by BleepingComputer, ESET researchers have uncovered a new Android malware family dubbed PromptSpy. Unlike traditional malware that relies entirely on hardcoded instructions, this strain queries Google's Gemini generative AI model at runtime to help it carry out part of its behavior. In this case, the malware sends Gemini information about what's currently visible on the infected device's screen and asks for guidance on what to do next. That allows it to adapt to differences between Android devices and interfaces, rather than relying on a rigid script that might only work on certain models.

New Android malware uses Gemini AI to learn how to run on specific devices

Joe Fedewa has been writing about technology for over a decade. Android and the rest of the Google ecosystem have been a focus for years, as well as reviewing devices, hosting podcasts, filming videos, and writing tutorials. Joe loves all things technology and is also an avid DIYer and food blogger. He has written thousands of articles, hundreds of tutorials, and dozens of reviews. Before joining How-To Geek, Joe worked at XDA-Developers as Managing Editor and covered news from the Google ecosystem. He got his start in the industry covering Windows Phone on a small blog, and later moved to Phandroid where he covered Android news, reviewed devices, wrote tutorials, created YouTube videos, and hosted a podcast. From smartphones to Bluetooth earbuds to Z-Wave switches, Joe is interested in all kinds of technology. After several years of jailbreaking and heavily modifying an iPod Touch, he moved on to his first smartphone, the HTC DROID Eris. He's been hooked ever since. It's no secret that AI is being added to everything. The companies doing this want us to believe it's making our lives better, but AI is obviously being used in nefarious ways, too. A new discovery shows that Google's own Gemini AI is being used to help malware run on various Android devices. Researchers at ESET Cybersecurity recently uncovered a new type of malware that they're calling "PromptSpy." It's different from malware in the past that has used machine learning. Android devices are all slightly different, and PromptSpy uses generative AI to adapt to each device in real time. Here's how it works: Almost all Android devices have some sort of feature that allows users to pin or lock an app to the Recent Apps list (not the same as App Pinning). This ensures that the app will remain running in the background even if the user hasn't opened it in a while. If an app isn't pinned, the Android OS will eventually close it to devote resources elsewhere. Malware can use this feature to sneakily stay active in the background. The problem for malware is that the way devices pin or lock apps varies greatly by manufacturer. So, PromptSpy feeds an XML dump of the current screen to Gemini, and Gemini uses that to identify the device and send the appropriate instructions for how to pin an app back to PromptSpy. It then attempts to pin the app, and it has Gemini double-check that it worked. This happens in a loop until it confirms the app has been successfully pinned. Once PromptSpy has access to the device, it can read your lock screen PIN or password, record a video of your pattern unlock, capture screenshots and screen activity whenever it wants, and just generally keep tabs on what you're doing. It also includes a VNC module, which is especially dangerous as it gives a remote attacker full control over your device as if they were holding it in their hands. The fun doesn't end with AI, though. If the user figures out what's happening, PromptSpy also makes it difficult to stop it by placing transparent rectangles over the "Uninstall" or "Deactivate" buttons. You think you're getting rid of it, but you're actually tapping dead zones that don't do anything. Subscribe to our newsletter for AI malware coverage Get clearer context: subscribe to the newsletter for in-depth coverage and expert analysis of AI-driven mobile threats and broader security trends, so you can follow how these risks evolve across devices. Subscribe By subscribing, you agree to receive newsletter and marketing emails, and accept our Terms of Use and Privacy Policy. You can unsubscribe anytime. The good news is that ESET hasn't seen this spreading widely yet, and it might still be in a testing or proof-of-concept phase. However, the samples were found on a domain impersonating JPMorgan Chase, so the intent to steal is clearly there. If you ever feel like you're infected with something this tricky, the ESET researcher recommends rebooting into Safe Mode. This disables third-party apps and ensures nothing can get in the way when you try to uninstall the malware. Via: Bleeping Computer Related There's a hidden Android setting that spots fake cell towers The best defense against Stingrays...if your device supports it. Posts 12 By Joe Fedewa

PromptSpy malware uses AI tools and Gemini to hijack Android devices

Chinese-developed PromptSpy malware exploits Gemini AI to hack Android devices * PromptSpy malware uses Gemini to automate its persistence * The malware blocks removal through an AI-guided interface control * Gemini interprets screen data and returns actionable gestures Security experts have revealed new findings on PromptSpy, an Android malware whose code contains a predefined prompt and AI configuration that are hardcoded and cannot be changed at runtime. The malware uses Google's Gemini to interpret on-screen elements and provide step-by-step instructions for interacting with the user interface. By sending XML snapshots of the device screen to Gemini, PromptSpy receives precise gestures, taps, and swipes needed to keep its app pinned in the recent apps list. Persistence through AI-guided interface interaction New information from researchers at ESET outlines how this is the first known instance of Android malware using generative AI in its execution flow. PromptSpy's infection chain begins with a dropper application that mimics a legitimate update in Spanish and encourages users to install the app. Once installed, the payload requests Accessibility Service permissions, which enable the malware to capture detailed UI information and perform automated interactions. Using this data, PromptSpy continuously communicates with Gemini, sending XML snapshots of the screen and receiving step-by-step instructions to lock itself in the recent apps list. Transparent overlays on uninstall or stop buttons prevent normal removal and require users to enter Safe Mode to uninstall the app. The malware also contains a VNC module that allows operators to remotely monitor devices and interact with the interface, so it can intercept lock screen credentials, record user gestures, take screenshots, and capture video of the device's activity. Communication with the command-and-control server is encrypted using AES, which allows the malware to securely receive Gemini API keys. A portion of the code uses generative AI to interpret UI scenarios and provide step-by-step instructions to maintain persistence. The localization details of this malware indicate that PromptSpy was developed in a Chinese-speaking environment - however its distribution appears to have targeted Spanish-speaking users who live in South America, specifically Argentina. The malware is not available on Google Play, but Google Play Protect provides protection against known versions. PromptSpy requests Accessibility Service permissions, captures device UI context, and performs actions in the background without user input. It locks itself in the recent apps list using AI instructions from Gemini and overlays transparent elements on uninstall buttons to block the malware removal. The malware's network communication can interact with firewalls when connecting to its hardcoded command-and-control server. The dropper application uses a fake update screen in Spanish to prompt installation of the payload. Once launched, PromptSpy communicates with its hardcoded command-and-control server to receive instructions, including Gemini API keys. The malware captures XML snapshots of the device screen and sends them to Gemini, which returns JSON-formatted instructions that the malware executes to ensure persistence. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button! And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.