PromptSpy: The First Android Malware to Leverage Generative AI for Device Persistence

In a groundbreaking discovery that underscores the evolving sophistication of mobile threats, cybersecurity researchers have identified PromptSpy, the first known Android malware to integrate generative artificial intelligence directly into its execution flow. This novel approach, uncovered by ESET researcher Lukas Stefanko, marks a significant shift in how threat actors are leveraging AI technologies to enhance malware capabilities.

A New Era of AI-Powered Mobile Threats

The malware, which ESET has dubbed “PromptSpy,” represents a paradigm shift in mobile cyber threats. Unlike previous Android malware that utilized machine learning for specific tasks like analyzing screenshots for ad fraud, PromptSpy employs Google’s Gemini AI model to dynamically adapt its persistence mechanisms across different devices and manufacturers.

“We uncovered two versions of a previously unknown Android malware family in February 2026,” explains ESET in their comprehensive report. “The first version, which we named VNCSpy, appeared on VirusTotal on January 13th, 2026 and was represented by three samples uploaded from Hong Kong. On February 10th, 2026, four samples of more advanced malware based on VNCSpy were uploaded to VirusTotal from Argentina.”

The AI Advantage: Overcoming Device Fragmentation

Android’s notorious device fragmentation has long been a challenge for both developers and malware authors. With hundreds of manufacturers implementing slightly different versions of the operating system, creating malware that can reliably persist across all devices has been difficult. This is where PromptSpy’s innovative use of AI becomes particularly significant.

The malware exploits a legitimate Android feature that allows users to “lock” or “pin” apps in the Recent Apps list. When an app is locked, Android is less likely to terminate it during memory cleanup or when the user taps “Clear all.” For legitimate applications, this prevents background processes from being killed. For malware like PromptSpy, it serves as a powerful persistence mechanism.

However, the method to lock or pin an app varies between manufacturers, making it challenging for malware to script the correct approach for every device. PromptSpy overcomes this obstacle by sending Google’s Gemini model a detailed chat prompt along with an XML dump of the current screen, including visible UI elements, text labels, class types, and screen coordinates.

The Gemini Loop: AI-Powered Adaptation

What makes PromptSpy truly revolutionary is its dynamic interaction with the AI model. After receiving the screen data, Gemini responds with JSON-formatted instructions describing the specific action needed to pin the app on that particular device. The malware then executes the action through Android’s Accessibility Service, retrieves the updated screen state, and sends it back to Gemini in a continuous loop until the AI confirms that the app has been successfully locked.

“Even though PromptSpy uses Gemini in just one of its features, it still demonstrates how incorporating these AI tools can make malware more dynamic, giving threat actors ways to automate actions that would normally be more difficult with traditional scripting,” ESET explains. This AI-powered adaptation allows the malware to function effectively across a wide range of Android devices without requiring specific, pre-programmed instructions for each manufacturer’s implementation.

Beyond Persistence: Full-Fledged Spyware Capabilities

While the AI integration is groundbreaking, PromptSpy’s primary functionality extends far beyond persistence. The malware includes a built-in VNC (Virtual Network Computing) module that provides threat actors with complete remote access to infected devices, but only after users grant Accessibility permissions.

Once installed and granted the necessary permissions, PromptSpy transforms the compromised device into a powerful surveillance tool. The malware can:

• Upload comprehensive lists of installed applications
• Intercept lockscreen PINs and passwords
• Record pattern unlock screens as video footage
• Capture screenshots on demand
• Record screen activity and user gestures
• Report the current foreground application and screen status

This extensive surveillance capability makes PromptSpy particularly dangerous for both individual users and organizations, as it can capture sensitive information, login credentials, and confidential communications.

Anti-Removal Techniques: Fighting Back Against Users

PromptSpy employs sophisticated anti-removal techniques that make it exceptionally difficult for average users to eliminate the threat. When users attempt to uninstall the app or disable Accessibility permissions, the malware overlays transparent, invisible rectangles over UI buttons displaying strings like “stop,” “end,” “clear,” and “Uninstall.”

When a user taps what they believe is the button to stop or uninstall the app, they actually tap the invisible overlay, which blocks the removal attempt. This deceptive technique effectively prevents users from easily removing the malware through standard Android procedures.

ESET researcher Stefanko notes that victims must reboot their devices into Android Safe Mode to disable third-party apps and successfully remove the malware. This requirement significantly increases the complexity of removal and may prevent many users from effectively eliminating the threat.

Distribution and Real-World Impact

The distribution method for PromptSpy appears to involve dedicated domains, with ESET identifying mgardownload[.]com as a source for samples. Additionally, the malware used a web page on m-mgarg[.]com to impersonate JPMorgan Chase Bank, suggesting that phishing and social engineering tactics were employed to distribute the malware.

While ESET has not yet observed PromptSpy or its dropper in its telemetry data, the existence of dedicated distribution domains and fake banking websites indicates that the malware may have been deployed in actual attacks rather than being purely a proof-of-concept.

“We haven’t seen any signs of the PromptSpy dropper or its payload in our telemetry so far, which could mean they’re only proofs of concept,” Stefanko told BleepingComputer. “Still, because there appears to be a dedicated domain that was used to distribute them, and fake bank website, we can’t rule out the possibility that both the dropper and PromptSpy are or were in the wild.”

The Broader Implications for Cybersecurity

The emergence of PromptSpy represents more than just another malware variant; it signals a fundamental shift in how cybercriminals are approaching mobile threats. By integrating generative AI directly into the malware’s execution flow, threat actors have created a more adaptable, resilient, and sophisticated attack tool.

This development aligns with broader trends in cybercrime. Earlier this month, Google Threat Intelligence reported that state-sponsored hackers are also using Google’s Gemini AI model to support all stages of their attacks, from reconnaissance to post-compromise actions. The convergence of AI capabilities with traditional malware techniques suggests that we are entering a new era of cyber threats where artificial intelligence becomes an integral component of attack strategies.

Technical Analysis and Detection Challenges

From a technical perspective, PromptSpy presents several challenges for detection and mitigation. The malware’s use of legitimate Android features like Accessibility Services makes it difficult to distinguish from benign applications. Additionally, the AI-powered adaptation means that the malware’s behavior can vary significantly between devices, complicating signature-based detection methods.

The continuous interaction with Gemini also creates network traffic patterns that may be difficult to identify as malicious, as the communication appears to be legitimate API calls to Google’s services. This camouflage technique makes network-based detection particularly challenging.

Prevention and Protection Strategies

Given the sophisticated nature of PromptSpy and similar AI-enhanced threats, users and organizations need to adopt comprehensive security strategies:

1. Strict Permission Management: Carefully review and limit app permissions, particularly Accessibility Services, which provide extensive control over device functionality.

2. Source Verification: Only install applications from official app stores and verified developers, avoiding sideloading from unknown sources.

3. Regular Updates: Maintain current operating system and security patch levels to protect against known vulnerabilities that malware might exploit.

4. Security Awareness Training: Educate users about phishing tactics and the importance of scrutinizing app permissions and installation sources.

5. Advanced Mobile Security Solutions: Deploy comprehensive mobile security platforms capable of detecting sophisticated threats and anomalous behavior patterns.

The Future of AI in Cybercrime

PromptSpy represents just the beginning of what experts anticipate will be widespread adoption of AI technologies in cybercrime. As generative AI models become more sophisticated and accessible, threat actors will likely continue to find innovative ways to integrate these capabilities into their attack tools.

The implications extend beyond mobile malware to potentially affect all areas of cybersecurity. AI could be used to create more convincing phishing campaigns, develop adaptive ransomware, automate vulnerability discovery, and create malware that can evade traditional detection methods with unprecedented effectiveness.

Conclusion: A Wake-Up Call for the Industry

The discovery of PromptSpy serves as a critical wake-up call for the cybersecurity industry, mobile device manufacturers, and users alike. It demonstrates that the integration of AI into malware is no longer theoretical but a present reality that requires immediate attention and adaptation of security strategies.

As we move forward, the cybersecurity community must develop new approaches to threat detection and prevention that can effectively counter AI-enhanced attacks. This includes investing in AI-powered defense systems, improving user education, and establishing new standards for mobile application security and permission management.

The era of AI-powered mobile malware has arrived, and PromptSpy stands as a harbinger of the sophisticated threats that will increasingly challenge our digital security landscape. Understanding and preparing for these evolving threats is no longer optional but essential for maintaining the security and privacy of mobile devices and the sensitive data they contain.

Tags & Viral Phrases:

• First Android malware using generative AI
• Google Gemini AI exploited by hackers
• Revolutionary mobile threat discovered
• AI-powered malware adaptation
• Groundbreaking cybersecurity breakthrough
• Mobile espionage goes next level
• Threat actors embrace artificial intelligence
• Game-changing malware technique revealed
• Cybersecurity experts sound alarm
• Digital privacy under new threat
• Android users at risk
• AI integration in cybercrime
• Mobile security crisis
• Hackers level up with AI
• The future of mobile threats
• Must-read cybersecurity news
• Breaking malware discovery
• Tech world shocked by AI malware
• Security researchers uncover major threat
• Mobile devices vulnerable to AI attacks

,