
Cybersecurity researchers have discovered what they say is the first Android malware to exploit Gemini, Google’s generative artificial intelligence (AI) chatbot, as part of its execution flow to achieve persistence.
Malware is codenamed prompt spy By ESET. This malware has the ability to capture lock screen data, block uninstallation efforts, collect device information, take screenshots, and record screen activities as videos.
“Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure that malicious apps remain pinned to the recent apps list, thereby preventing them from being easily swiped or killed by the system,” ESET researcher Lukasz Stefanko said in a report published today.
“Since Android malware often relies on UI navigation, leveraging generative AI could significantly expand the number of potential victims by allowing attackers to adapt to more or less any device, layout, or OS version.”
Specifically, it hardcodes the AI model and prompts within the malware and assigns the AI agent the “Android Automation Assistant” persona. It sends natural language prompts to Gemini along with an XML dump of the current screen, providing detailed information about all UI elements, including text, type, and exact location on the display.
Gemini then processes this information and responds with JSON instructions that tell the malware what action to perform (such as a tap) and where to perform it. The multi-step interaction continues until the app is successfully locked in the recent apps list and cannot be exited.
The main purpose of PromptSpy is to deploy an embedded VNC module that allows attackers remote access to the victim’s device. The malware is also designed to take advantage of Android’s accessibility services to prevent it from being uninstalled using an invisible overlay. Communicates with a hard-coded command and control (C2) server (“54.67.2″).[.]84”) via VNC protocol.
It is worth noting that the actions suggested by Gemini are performed through accessibility services, allowing the malware to interact with the device without user input. All of this is accomplished by communicating with a C2 server to receive a Gemini API key, taking on-demand screenshots, intercepting lock screen PINs or passwords, recording the screen, and capturing the pattern unlock screen as a video.

Analysis of language localization clues and the distribution vector used suggests that this campaign is likely financially motivated and targeted at users in Argentina. Interestingly, evidence indicates that PromptSpy was developed in a Chinese-speaking environment, as indicated by the presence of debug strings written in Simplified Chinese.
“PromptSpy is distributed on a dedicated website and was not previously available on Google Play,” Stefanko said.
PromptSpy is believed to be an advanced version of another previously unknown Android malware called VNCSpy, samples of which were first uploaded to the VirusTotal platform from Hong Kong last month.
Website “mgardownload”[.]com’ is used to deliver the dropper, and when installed and launched it opens a web page hosted at ‘m-mgarg’.[.]The dropper pretends to be JPMorgan Chase and calls itself “MorganArg” after Morgan Argentina. The dropper also instructs the victim to grant permission to install apps from unknown sources in order to deploy PromptSpy.
“This Trojan connects to a server in the background and requests a configuration file containing a link to download another APK, which is presented to the victim as an update in Spanish,” ESET said. “During our investigation, we lost access to the configuration server, so the exact download URL remains unknown.”
The findings demonstrate how threat actors are incorporating AI tools into their operations to make malware more dynamic and provide a way to automate actions that would be more difficult to perform with traditional approaches.
PromptSpy prevents its uninstallation by overlaying invisible elements on the screen, so the only way for victims to remove it is to restart the device in safe mode. Safe mode disables third-party apps and allows you to uninstall them.
“PromptSpy shows that Android malware is beginning to evolve in sinister ways,” ESET said. “By leveraging generative AI to interpret on-screen elements and decide how to interact with them, malware can adapt to almost any device, screen size, or UI layout it encounters.”
“Instead of a hard-coded tap, you can simply pass a snapshot of your screen to the AI and instead receive precise step-by-step interaction instructions, helping enable persistence techniques that survive UI changes.”
