.jpg)
A newly discovered Android malware, dubbed PromptSpy, is exploiting Google’s Gemini AI model to automate tasks that help it maintain a persistent presence on infected devices, researchers at ESET announced Thursday.
PromptSpy represents the first known instance of Android malware directly integrating generative AI into its execution flow, according to ESET researcher Lukáš Štefanko. While machine learning has been used previously to analyze screenshots for ad fraud, this marks a significant escalation in the sophistication of mobile malware.
The malware leverages Gemini to overcome a common challenge for Android malware: reliably locking an app in the Recent Apps list. This “locking” feature, available on some Android devices, prevents the system from terminating the app during memory management. However, the specific method for locking an app varies between manufacturers, making it difficult to script a universal solution.
PromptSpy circumvents this issue by sending a prompt to Gemini, along with an XML dump of the current screen. This dump provides detailed information about the user interface elements, including text, type, and position. Gemini then analyzes this information and responds with JSON-formatted instructions detailing the actions needed to lock the app. The malware then executes these instructions using Android’s Accessibility Service, repeatedly sending updated screen states to Gemini until the app is successfully locked, according to ESET’s report.
“Even though PromptSpy uses Gemini in just one of its features, it still demonstrates how incorporating these AI tools can make malware more dynamic, giving threat actors ways to automate actions that would normally be more difficult with traditional scripting,” Štefanko explained.
Beyond its innovative use of AI for persistence, PromptSpy functions primarily as spyware. It includes a built-in Virtual Network Computing (VNC) module, granting attackers remote access to the compromised device. With Accessibility permissions granted, attackers can view the screen and control the device in real-time.
ESET’s analysis indicates PromptSpy is capable of collecting a wide range of sensitive information, including a list of installed apps, intercepted lockscreen PINs or passwords, recordings of pattern unlock screens, screenshots, and screen activity. It can also report the currently active application and screen status.
The malware also employs tactics to hinder removal. When a user attempts to uninstall the app or disable Accessibility permissions, PromptSpy overlays transparent, invisible rectangles over UI buttons associated with stopping or uninstalling the application, effectively blocking the user’s action. Users must reboot into Android Safe Mode to disable third-party apps and successfully uninstall the malware, Štefanko noted.
While several samples of PromptSpy were uploaded to VirusTotal in January and February 2026, originating from Hong Kong and Argentina, ESET has not yet observed the malware or its dropper in its own telemetry. This raises the possibility that PromptSpy may currently be a proof-of-concept, according to Štefanko. However, the use of a dedicated domain, mgardownload[.]com, and a website impersonating JPMorgan Chase Bank, m-mgarg[.]com, suggests potential real-world deployment.
The limited distribution of PromptSpy notwithstanding, its emergence signals a concerning trend: the increasing use of generative AI by threat actors to not only create attacks and phishing sites, but also to dynamically modify malware behavior. Google Threat Intelligence recently reported that state-sponsored hackers are also leveraging Google’s Gemini AI model to support various stages of their attacks, from initial reconnaissance to post-compromise activities.
