PromptSpy is the first known Android malware to use generated AI at runtime

Applications of AI


Android malware

Researchers have discovered the first known Android malware that uses Google’s Gemini model to adapt persistence across different devices and uses generative AI in its execution flow.

In today’s report, ESET researcher Lukas Stefanko describes how a new Android malware family named ‘PromptSpy’ exploits the Google Gemini AI model to achieve persistence on infected devices.

“In February 2026, we discovered two versions of a previously unknown Android malware family,” ESET explains.

With

“The first version, which we named VNCSpy, appeared on VirusTotal on January 13, 2026 and was represented by three samples uploaded from Hong Kong. On February 10, 2026, four samples of more advanced malware based on VNCSpy were uploaded to VirusTotal from Argentina.”

First known Android malware to use generative AI

Machine learning models have previously been used by Android malware to analyze screenshots for ad fraud, but ESET says PromptSpy is the first known instance of Android malware directly integrating generative AI into its execution.

On some Android devices, users can “lock” or “pin” an app by long-pressing the app in the recent apps list and selecting the lock option. When an app is locked in this way, Android is either cleaning up memory or the user is[すべてクリア]You’re less likely to quit the app when you tap .

For legitimate apps, this prevents background processes from being killed. For malware like PromptSpy, it acts as a persistence mechanism.

However, the methods used to lock or pin apps vary by manufacturer, making it difficult for malware to script the correct way to do it on every device. This is where AI comes into play.

PromptSpy sends chat prompts to Google’s Gemini model along with an XML dump of the current screen, including visible UI elements, text labels, class types, and screen coordinates.

PromptSpy sends LLM prompts to Google Gemini
PromptSpy sends LLM prompts to Google Gemini
Source: ESET

Gemini then responds with JSON-formatted instructions describing the actions to take on the device to pin the app.

The malware performs actions through Android’s accessibility services, retrieves the updated screen state, and sends it back to Gemini in a loop until the AI ​​confirms that the app was successfully locked in the recent apps list.

“While PromptSpy only uses Gemini for one of its features, it shows that incorporating these AI tools can make malware more dynamic and provide threat actors with a way to automate actions that are typically more difficult to perform with traditional scripts,” ESET explains.

Although the use of AI LLM to modify runtime behavior is novel, PromptSpy’s primary function is to act as spyware.

The malware includes a built-in VNC module that allows attackers to gain full remote access to devices that have accessibility permissions granted.

This access allows an attacker to view and control the Android screen in real time.

According to ESET, this malware can:

  • Upload a list of installed apps
  • Intercept lock screen PIN or password
  • Record the pattern unlock screen as a video
  • Capture screenshots on demand
  • Record screen activity and user gestures
  • Reports the current foreground application and screen status.

To make removal more difficult, when a user attempts to uninstall an app or turn off accessibility permissions, the malware overlays a transparent, invisible rectangle over a UI button that displays text such as “Stop,” “Exit,” “Clear,” or “Uninstall.”

When a user taps a button to stop or uninstall an app, they will instead tap a hidden button that blocks deletion.

It is unclear whether this is proof-of-concept malware.

Stefanko said victims must restart into Android Safe Mode so that third-party apps are disabled and cannot block the malware from being uninstalled.

ESET told BleepingComputer that it has not yet observed PromptSpy or its dropper in its telemetry, so it is unclear whether this malware is a proof of concept.

“So far, we have not seen any signs of the PromptSpy dropper or its payload in our telemetry, which could mean they are just a proof of concept,” Stefanko told BleepingComputer.

However, as shown by VirusTotal, some samples were previously distributed via the dedicated domain mgardownload.[.]com and used the mmgarg web page[.]com to impersonate JPMorgan Chase Bank, which may have been used in the actual attack.

“Still, we cannot rule out that both the dropper and PromptSpy actually exist or have existed, as there appear to be dedicated domains and fake banking websites used to distribute them,” Stefanko added.

Although the distribution of this malware appears to be very limited, it shows how attackers can use generated AI to not only create attacks and phishing sites, but also modify the behavior of the malware in real time.

Earlier this month, Google Threat Intelligence reported that state-sponsored hackers are also using Google’s Gemini AI model to support all stages of an attack, from reconnaissance to post-breach action.

teeth

Modern IT infrastructures are changing faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated responses, and build and scale intelligent workflows based on the tools you already use.



Source link