Security researchers have discovered the first known Android malware that weaponizes generative AI at runtime. Called PromptSpy, it queries Google’s Gemini model in real-time to figure out how to navigate infected devices and stay hidden - a technique that lets it adapt to any Android version or device layout automatically.
ESET researcher Lukáš Štefanko identified two versions of PromptSpy in February 2026. Rather than hardcoding screen coordinates that break across different phones, the malware outsources its UI navigation to an AI assistant. This makes it far more versatile than traditional Android threats.
How PromptSpy Uses Gemini
The malware assigns Gemini the role of an “Android automation assistant.” When it needs to perform an action, PromptSpy sends the AI an XML dump of the current screen - complete with UI element positions, text labels, and class types - alongside a natural language prompt.
Gemini responds with JSON-formatted instructions specifying exactly where to tap and what actions to take. The malware then executes those instructions using Android’s Accessibility Services.
“Leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version,” the ESET researchers noted. This is a significant advantage over traditional coordinate-based automation, which frequently fails when screens differ between devices.
The primary use case: keeping PromptSpy pinned in the Recent Apps list so users can’t easily swipe it away or kill the process. Every time the screen changes, the malware consults Gemini for new instructions.
Full Remote Control
Beyond the AI-assisted persistence, PromptSpy functions as a capable spyware toolkit:
- VNC remote access: A built-in Virtual Network Computing module lets attackers see the screen and control the device remotely via a command-and-control server at 54.67.2[.]84
- Credential theft: Captures lockscreen PIN entries and records pattern unlock attempts as video
- Screen surveillance: Takes screenshots and records full screen activity
- Anti-removal: Overlays invisible elements over uninstall buttons, forcing victims to reboot into Safe Mode to delete the app
- Device reconnaissance: Gathers installed apps lists, device info, and system details
The C2 server also provides PromptSpy with the Gemini API keys it needs to operate, keeping those credentials out of the malware’s code.
Distribution and Targets
PromptSpy spreads through a dedicated malicious website (mgardownload[.]com) rather than the Google Play Store. The dropper displays pages impersonating JPMorgan Chase under branding like “MorganArg” and prompts users to enable installation from unknown sources.
Evidence points to financially motivated attacks primarily targeting Argentina. All prompts to victims appear in Spanish, and samples were uploaded to VirusTotal from Argentina. However, debug strings in simplified Chinese and functions handling Chinese Accessibility event types suggest development in a Chinese-speaking environment.
PromptSpy evolved from an earlier variant called VNCSpy. This is the second AI-powered malware ESET has discovered, following PromptLock ransomware found in August 2025.
Google’s Response
Google told Android Authority: “Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.”
Play Protect can warn users about or block apps displaying malicious behavior, even when installed from outside the Play Store. ESET shared their findings with Google before publication.
What This Means
PromptSpy demonstrates that generative AI isn’t just a tool for defenders - attackers are finding practical uses too. By delegating UI automation to an AI model, malware authors can write code once and have it work across the fragmented Android ecosystem without device-specific modifications.
The implications extend beyond this single sample. If AI can help malware navigate screens, it can potentially help with other tasks: social engineering, phishing message generation, or adapting to security software. We’ve seen theoretical discussions of AI-enhanced malware for years. PromptSpy shows it’s no longer theoretical.
How to Protect Yourself
- Keep Play Protect enabled - it’s your first line of defense against known threats
- Avoid installing apps from websites, especially those asking you to “enable unknown sources”
- Be suspicious of apps impersonating banks, particularly if they didn’t come from official sources
- If an app seems impossible to uninstall, reboot into Safe Mode (hold power button, then long-press “Power off” and confirm Safe Mode)
- Check your installed apps list for anything you don’t recognize, especially apps requesting Accessibility Services
PromptSpy may be a proof of concept that hasn’t spread widely yet - ESET hasn’t observed it in their telemetry outside of research samples. But the technique is out there now, and others will build on it. The era of AI-assisted mobile malware has arrived.