PromptSpy Android Malware Uses Google Gemini to Adapt During Runtime Execution

PromptSpy Android Malware Uses Google Gemini to Adapt During Runtime Execution

A newly identified strain of Android spyware called PromptSpy has become the first mobile malware known to call on generative AI while it is actually running on a victim’s device.

Rather than relying purely on hardcoded commands, the malware reaches out to Google’s Gemini model in real time to figure out how to interact with a phone’s screen.

This marks a meaningful shift in how mobile threats could evolve, since the malware is no longer limited to a fixed set of instructions written by its creators.

On the surface, PromptSpy behaves like a fairly standard remote access trojan built for stealing information from infected phones. It can capture lockscreen PINs and passwords, list installed apps, snap screenshots on demand, and even record video without the user noticing.

A built in remote access module gives attackers live control of the screen, and all of that communication is encrypted to help it slip past basic monitoring.

Researchers at ESET first flagged PromptSpy while investigating a separate case of AI powered ransomware, which led them to this previously undocumented Android threat.

Their analysis found that the malware was distributed through a website designed to look like the Argentine branch of a major banking brand, complete with a matching app name meant to build trust with targets.

Despite the deceptive setup, ESET noted the malware appeared largely absent from real world telemetry, suggesting it may still be an early stage proof of concept rather than a widely deployed campaign.

That said, a single confirmed detection did turn up in Ukraine in February 2026, showing the threat has already traveled beyond its original testing ground.

Combined with clues pointing to a Chinese speaking development environment, the case illustrates how quickly experimental malware can cross borders once it is packaged and distributed online.

ESET said in a report shared with Cyber Security News (CSN) that this discovery adds to a broader pattern of AI creeping into malicious tooling across different platforms.

PromptSpy Android Malware Uses Google Gemini

What sets PromptSpy apart is a specific trick it uses to stay installed on a phone.

The malware needs to lock itself into the list of recently used apps so it cannot be easily swiped away, but that kind of gesture is notoriously hard to automate across the huge variety of Android devices and versions in use today.

Instead of hardcoding taps for every possible screen layout, PromptSpy sends Gemini a plain language request along with a full map of everything visible on the current screen, including text, button types, and exact positions.

PromptSpy’s execution flow (Source - ESET)
PromptSpy’s execution flow (Source – ESET)

Gemini studies that data and sends back a set of instructions describing which gestures to perform and where.

PromptSpy carries out those actions through Android’s accessibility tools, then checks the updated screen and repeats the process until the app is confirmed locked in place.

Persistence Tricks and Removal Advice

Beyond leaning on AI, PromptSpy also fights back against being uninstalled. It abuses accessibility permissions to place invisible overlays directly on top of the Stop and Uninstall buttons in the app settings menu, so tapping them does nothing.

Figure: Invisible rectangles, shown here in color for clarity, covering the Stop and Uninstall buttons.

High-level scheme of the BYOVD technique (Source - ESET)
High-level scheme of the BYOVD technique (Source – ESET)

Because of this overlay trick, ESET noted that removal generally only works from safe mode.

Users can typically hold the power button, select Reboot to safe mode, then head into Settings and Apps to uninstall the offending app once accessibility restrictions are bypassed.

Later research from Google’s Threat Intelligence Group added that PromptSpy’s AI component was built with broader screen navigation goals in mind, and that attackers can update pieces of the malware, including its Gemini API keys, remotely through its command and control channel.

ESET researchers pointed out that while this use of AI is currently narrow, it hints at a future where malware relies on generative models to adapt on the fly rather than depending on brittle, hardcoded logic.

Type Indicator Description
Domain mgardownload[.]com Website used to distribute the PromptSpy malware, offline at time of analysis 
File name MorganArg / MorganArgs App name used by PromptSpy to impersonate a JPMorgan Chase Argentina branch app 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.

The post PromptSpy Android Malware Uses Google Gemini to Adapt During Runtime Execution appeared first on Cyber Security News.

​The original article found on Cyber Security News Read More