PromptSpy abuses Gemini AI to gain persistent access on Android

PromptSpy is the first Android malware to abuse Google’s Gemini AI, enabling persistence and advanced spying features.

Security researchers at ESET have uncovered PromptSpy, the first known Android malware to exploit Google’s Gemini AI to maintain persistence. The malware can capture lockscreen data, block uninstallation attempts, collect device information, take screenshots, and record screen activity as video, marking a concerning evolution in AI-assisted mobile threats.

This is the second AI-powered malware discovered by ESET, following PromptLock in August 2025, the first known case of AI-driven ransomware.

Although AI is used only to keep the malicious app pinned in the recent apps list, it allows the malware to adapt to different devices and Android versions.

“Specifically, Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system.” reads the report published by ESET. “The AI model and prompt are predefined in the code and cannot be changed. Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims.”

PromptSpy deploys a VNC module for remote control, abuses Accessibility Services to block removal, captures lockscreen data, records video, and uses encrypted C2 communications. The campaign appears to be driven by financial gain and mainly targets users in Argentina. The malware was likely developed in a Chinese-speaking environment. It is spread through a dedicated website rather than Google Play, and Google Play Protect can block known versions of it.

PromptSpy uses Google’s Gemini AI in a limited but clever way: to stay persistent. Instead of relying on fixed screen taps or coordinates, which often fail across different Android versions and device layouts, the malware sends Gemini a text prompt plus an XML dump of the current screen. This gives the AI a full view of buttons, text, and positions. Gemini then replies with JSON instructions telling the malware where to tap. PromptSpy repeats the process until the app is successfully locked in the recent apps list, preventing easy removal.

ESET discovered the threat in February 2026, PromptSpy evolved from an earlier variant called VNCSpy. Samples were uploaded from Hong Kong and later Argentina, suggesting regional targeting. The malware is distributed through malicious websites impersonating Chase Bank, using branding like “MorganArg.” A related phishing app, likely from the same actor, helps deliver the final payload.

Once installed, PromptSpy abuses Accessibility Services and includes a VNC module, giving attackers full remote control of the device. It can see the screen, perform gestures, and maintain control while staying hidden in the recent apps list.

The analysis of the malicious code revealed debug strings in simplified Chinese, along with functions handling Chinese Accessibility event types. A disabled debug method translated Android accessibility events into Chinese, suggesting with medium confidence that the malware was developed in a Chinese-speaking environment.

PromptSpy is delivered through a dropper that installs a hidden payload APK. After installation, it requests Accessibility permissions, shows a fake loading screen, and secretly contacts Gemini AI to lock itself in the Recent Apps list for persistence. It continuously sends screen data to Gemini and executes returned tap or swipe instructions.

The malware includes a VNC module for full remote control and communicates with its C2 server using AES-encrypted VNC traffic. It can steal PINs, record screens, take screenshots, and list installed apps. To prevent removal, it overlays invisible elements over uninstall buttons. Victims must reboot into Safe Mode to remove it.

PromptSpy shows a new evolution in Android malware. By using generative AI to read and interpret on-screen elements, it can adapt to almost any device or interface. Instead of fixed tap coordinates, it sends a screen snapshot to AI and receives step-by-step instructions, making its persistence more resilient to UI changes.

“More broadly, this campaign shows how generative AI can make malware far more dynamic and capable of real‑time decision‑making.” concludes the report. “PromptSpy is an early example of generative AI‑powered Android malware, and it illustrates how quickly attackers are beginning to misuse AI tools to improve impact.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PromptSpy)