A recent strain of Android malware, dubbed PromptSpy, is leveraging the power of Google’s Gemini artificial intelligence model to establish persistent access to compromised devices, according to research published Tuesday by the cybersecurity firm ESET. The malware represents the first known instance of generative AI being used in this manner by Android threats.
PromptSpy disguises itself as a seemingly legitimate application, initially identified as a fake banking app named “MorganArg,” and attempts to gain extensive permissions on a user’s device. Once granted, the malware can monitor screen activity, intercept messages, and potentially facilitate fraudulent transactions, ESET researchers found.
The malware’s core functionality centers around deploying a Virtual Network Computing (VNC) module, granting attackers remote control over the infected device. This allows them to view the screen in real-time and perform actions as if physically interacting with the phone. PromptSpy also attempts to block uninstallation, gather device information, take screenshots, and record screen activity as video, according to ESET’s analysis.
What distinguishes PromptSpy is its innovative use of AI. Instead of relying on pre-programmed instructions, the malware sends screenshots of the current phone display to Google’s Gemini AI. Gemini then analyzes the screen and provides PromptSpy with step-by-step instructions on how to navigate the user interface, specifically to ensure the malicious app remains “pinned” in the recent applications list, preventing it from being easily closed or removed by the system. This adaptability allows PromptSpy to function across a wider range of Android versions and devices, according to ESET.
“Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims,” ESET researchers wrote in their report. The AI model and the prompts used are pre-defined within the malware’s code and cannot be altered by the user.
ESET’s investigation suggests the developers of PromptSpy may have ties to a Chinese-speaking environment. The malware is distributed through a dedicated website, bypassing the security measures of the Google Play Store, although Google Play Protect is capable of detecting known versions of the malware. This is the second AI-powered malware discovered by ESET, following PromptLock, an AI-driven ransomware strain identified in August 2025.
To mitigate the risk of infection, ESET recommends users download applications only from trusted sources, such as the Google Play Store, and exercise caution when granting broad permissions, particularly access to accessibility services. Keeping devices updated with the latest security patches is also crucial. Users suspecting an infection can attempt to remove the malicious app by booting the device into safe mode. Google Play Protect, when enabled, can also identify and block known variants of PromptSpy.
