PromptSpy: The First Android Malware Powered by Generative AI

February 20, 2026 Faeem BLOGS 0

Cybersecurity researchers at ESET have uncovered PromptSpy, the first known Android malware family to integrate generative AI at runtime. By leveraging Google’s Gemini model, PromptSpy adapts its persistence mechanisms across different devices—making it far more dynamic than traditional mobile malware.

How PromptSpy Works

  • Two versions discovered:
    • VNCSpy appeared in January 2026.
    • PromptSpy, a more advanced variant, surfaced in February 2026.
  • Persistence challenge: Different Android manufacturers use varying methods to “lock” or “pin” apps in the Recent Apps list.
  • AI solution: PromptSpy sends Gemini a prompt along with an XML dump of the current screen (UI elements, labels, coordinates).
  • Gemini response: Returns JSON instructions on how to pin the app.
  • Execution loop: Malware uses Accessibility Services to carry out actions, re‑checks the screen state, and repeats until Gemini confirms success.

Capabilities Beyond Persistence

PromptSpy isn’t just clever—it’s dangerous spyware. It can:

  • Upload lists of installed apps.
  • Intercept lockscreen PINs and passwords.
  • Record unlock patterns as video.
  • Capture screenshots and gestures.
  • Provide real‑time remote access via a built‑in VNC module.
  • Block removal attempts by overlaying invisible rectangles over “Uninstall” or “Stop” buttons.

Victims must reboot into Safe Mode to disable third‑party apps before uninstalling.

Distribution & Impact

  • Samples were uploaded from Hong Kong and Argentina.
  • Domains like mgardownload[.]com and m‑mgarg[.]com impersonated JPMorgan Chase Bank to distribute the malware.
  • While ESET hasn’t observed widespread telemetry, the presence of dedicated distribution domains suggests PromptSpy may already be in the wild.

Why It Matters

  • Generative AI in malware: PromptSpy demonstrates how AI can automate device‑specific actions that traditional scripting struggles with.
  • Dynamic adaptation: Malware can now adjust its behavior in real time, making detection and removal harder.
  • Broader trend: Google Threat Intelligence recently reported state‑sponsored hackers using Gemini for reconnaissance and post‑compromise actions.

Final Thought

PromptSpy is a milestone in mobile malware evolution. By embedding generative AI into its runtime flow, it shows how attackers are moving beyond static scripts to adaptive, intelligent malware. The takeaway? Security teams must prepare for a future where AI isn’t just defending systems—it’s also powering the attacks.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.