The first known Android malware to leverage generative artificial intelligence in its operation has been discovered by ESET researchers. Dubbed PromptSpy, the malware utilizes Google’s Gemini chatbot to automate tasks necessary for maintaining a persistent foothold on compromised devices.
PromptSpy distinguishes itself from previous Android threats through its novel approach to persistence. Rather than relying on traditional methods, it employs Gemini to interpret the user interface of the infected device and dynamically generate instructions for navigating Android’s operating system. Specifically, the malware uses Gemini to determine how to remain pinned in the recent applications list, preventing users from easily closing or uninstalling it, according to ESET’s report published February 19, 2026.
The process involves sending an XML dump of the current screen – detailing UI elements like text, type, and position – to Gemini, along with a natural language prompt. Gemini then responds with JSON instructions outlining the necessary actions, such as taps or swipes, to achieve persistence. The malware saves both its prompts and Gemini’s responses, allowing the AI to understand context and coordinate multi-step interactions, researchers found.
Whereas the AI component is currently limited to achieving persistence, the implications of this approach are significant. “Leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims,” Lukáš Štefanko, an ESET researcher, stated in a report. The use of AI allows the malware to overcome variations in Android versions and device manufacturers.
Beyond its AI-driven persistence mechanism, PromptSpy is equipped with a range of malicious capabilities. It can capture lockscreen data, block uninstallation attempts, gather device information, take screenshots, and record screen activity as video. The primary objective of the malware is to deploy a Virtual Network Computing (VNC) module, granting attackers remote access to the victim’s device, allowing them to view the screen and perform actions as if they were the user.
ESET’s discovery follows the identification of PromptLock in August 2025, the first AI-driven ransomware. PromptSpy appears to be financially motivated, with language localization clues and distribution vectors suggesting a primary target of users in Argentina. However, as of February 19, 2026, PromptSpy has not been widely observed in ESET’s telemetry, potentially indicating We see still in a proof-of-concept phase.
The malware utilizes Android’s Accessibility Services to interact with the device and execute the gestures recommended by Gemini. It also employs transparent overlays to intercept user interactions during uninstallation attempts, making it difficult for victims to remove the malware. These overlays cover buttons containing keywords like “stop,” “end,” “clear,” and “Uninstall,” effectively blocking removal efforts.
