PromptSpy: First Android Malware to Weaponize Google's Gemini AI for Stealth and Persistence

ESET Discovers 'PromptSpy,' a Novel Android Malware Abusing Generative AI for UI Manipulation

HIGH
February 20, 2026
5m read
MalwareMobile SecurityThreat Intelligence

Related Entities

Organizations

ESET

Products & Tech

Google GeminiAndroid VirusTotal

Other

PromptSpyJPMorgan Chase

MITRE ATT&CK Techniques

T1418Execution

Automated Manipulation of Android's User Interface

T1219Command and Control

Remote Access Software

T1419Defense Evasion

Abuse of Accessibility Features

T1406Defense Evasion

Obfuscated Files or Information

T1409Collection

Screen Capture

Full Report

Executive Summary

In a significant development for mobile security, researchers at ESET have discovered PromptSpy, the first known Android malware to actively weaponize a generative AI model, Google Gemini, as part of its attack chain. The malware uses the AI to interpret a device's user interface (UI) and generate precise instructions for navigation, allowing it to achieve persistence by programmatically 'pinning' itself in the recent apps list. This novel technique makes the malware highly adaptable to various Android versions and device layouts, overcoming a major hurdle for developers of malicious software. The ultimate payload is a Virtual Network Computing (VNC) module that grants attackers remote control over the device. While currently limited in distribution and targeting users in Argentina, PromptSpy represents a proof-of-concept for a new class of dynamic, AI-powered malware.

Threat Overview

PromptSpy introduces a paradigm shift in malware design. Traditional Android malware that attempts UI manipulation relies on hardcoded coordinates or accessibility service abuse, which often fails across different device models, screen sizes, or OS versions. PromptSpy solves this problem with AI.

The malware's core innovation is its persistence mechanism. It operates as follows:

  1. The malware captures an XML dump of the device's current screen layout.
  2. It sends this XML data along with a natural language prompt (e.g., "How do I click the button to pin this app?") to the Gemini AI model via an API.
  3. Gemini processes the UI structure and returns a JSON object with step-by-step instructions, including the exact coordinates to tap.
  4. The malware executes these instructions, successfully navigating the UI to lock itself in the recent apps tray, making it difficult for a non-technical user to terminate.

After achieving persistence, PromptSpy's main objective is to enable remote access via a built-in VNC module, allowing attackers to spy on the user, steal data, and perform actions on their behalf. It also includes capabilities to capture lockscreen data and block uninstallation attempts.

Technical Analysis

PromptSpy's use of AI for UI interaction is a form of Automated Manipulation of Android's User Interface (T1418), but executed in a novel way.

  • Execution - Command and Scripting Interpreter (T1059): The malware executes the JSON-formatted commands returned by the Gemini AI.
  • Persistence - Modify System App (T1464): While not modifying a system app directly, the act of pinning itself in the recent apps list is a functional equivalent, achieving a form of user-level persistence that is difficult to reverse.
  • Defense Evasion - Abuse of Accessibility Features (T1419): Although it uses AI instead of just accessibility services, the end goal of UI manipulation is the same. The AI makes the abuse far more reliable and scalable.
  • Remote Access Software (T1219): The final payload is a VNC server, giving the attacker full remote control of the device's screen and input.

The weaponization of generative AI for dynamic execution marks a critical inflection point. Defenders can no longer rely on static signatures or predictable behavior. Malware can now adapt its behavior in real-time based on its environment, posing a significant challenge to traditional detection methods.

Impact Assessment

The immediate impact of PromptSpy is limited, as it appears to be a targeted or proof-of-concept campaign focused on Argentina (distributed via a fake JPMorgan Chase site). However, the long-term implications are profound.

  • Increased Malware Resilience: AI-driven malware can adapt to new OS updates, security patches, and device layouts without needing to be rewritten, dramatically increasing its lifespan and effectiveness.
  • Lowered Barrier to Entry: Attackers with less technical skill could leverage AI to create sophisticated, adaptable malware, potentially leading to a proliferation of such threats.
  • Detection Challenges: Security software that relies on static analysis or predictable behavioral patterns will struggle to detect malware that generates its actions dynamically. This will force a shift towards more advanced, on-device behavioral monitoring and anomaly detection.

For an infected user, the impact is severe: complete loss of privacy and control over their device, leading to theft of banking credentials, personal messages, and any other data accessible on the phone.

Cyber Observables for Detection

Type Value Description
url_pattern generativelanguage.googleapis.com The malware must make API calls to Google's AI services. Unexpected apps making calls to this endpoint is highly suspicious.
process_name com.jpmorgan.morganarg The package name of the malicious app masquerading as JPMorgan Chase in Argentina.
network_traffic_pattern App sending XML data outbound An unusual pattern where a non-browser app is sending large XML files over the network.
file_name VNCSpy The name of the VNC module used by the malware.

Detection & Response

  • Network Monitoring: On-device firewalls or Mobile Threat Defense (MTD) solutions should be configured to alert on unexpected applications making API calls to known generative AI endpoints like generativelanguage.googleapis.com. This is the most reliable indicator of this specific malware. Apply D3FEND Outbound Traffic Filtering (D3-OTF).
  • Behavioral Analysis: MTD solutions must evolve to incorporate more sophisticated behavioral analysis. Instead of just looking for the use of accessibility services, they need to detect patterns of rapid, programmatic UI interaction that mimic human behavior but occur without physical input. D3FEND Process Analysis (D3-PA) is key.
  • App Vetting: Only install applications from the official Google Play Store. The malware was distributed via a third-party website.

Mitigation

  1. Restrict App Installation: Configure Android devices (via MDM for enterprises) to block the installation of apps from unknown sources. This is a fundamental security control (D3FEND Executable Denylisting (D3-EDL)).
  2. Monitor Network Egress: For corporate-managed devices, monitor and restrict outbound network traffic. Block access to generative AI APIs for all applications except those explicitly authorized.
  3. User Education: Train users to be wary of apps downloaded from outside official app stores and to be suspicious of any app that requests extensive permissions.
  4. Google's Role: As the provider of both the OS and the AI model, Google is in a unique position to mitigate this threat. They could implement rate limiting, require API key authentication that can be tied to developer accounts, or use on-device analysis to detect when an app is using AI for malicious UI manipulation.

Timeline of Events

1
February 19, 2026
ESET publishes research on PromptSpy, the first Android malware found to be using generative AI.
2
February 20, 2026
This article was published

MITRE ATT&CK Mitigations

Limit Software Installation

M1033enterprise

Prevent users from installing applications from untrusted, third-party sources.

Behavior Prevention on Endpoint

M1040mobile

Use Mobile Threat Defense to detect anomalous UI interactions and network connections to AI APIs.

Filter Network Traffic

M1037enterprise

Block or alert on traffic from non-standard apps to known generative AI API endpoints.

D3FEND Defensive Countermeasures

Executable Denylisting

D3-EDLMaps to MITREM1033
D3FEND

The primary distribution vector for PromptSpy was a malicious website, not the official Google Play Store. The most effective preventative measure is to enforce a strict policy of Executable Denylisting, which in the mobile context means blocking the installation of applications from 'Unknown Sources'. For enterprise environments, this should be enforced via a Mobile Device Management (MDM) policy that cannot be disabled by the user. For individual users, this setting should be enabled by default and they should be educated on the severe risks of sideloading applications. This simple configuration change would have prevented the PromptSpy malware from ever being installed on the device, neutralizing the threat before its advanced AI capabilities could be used.

Network Traffic Analysis

D3-NTAMaps to MITREM1031
D3FEND

To detect an active PromptSpy infection, defenders must focus on its unique network behavior. Implementing Network Traffic Analysis, either through an on-device MTD agent or at the network gateway, is crucial. The key indicator is traffic from an unexpected application to Google's generative AI API endpoint (generativelanguage.googleapis.com). A detection rule should be created to flag any process, other than an approved browser or explicitly authorized application, that initiates a connection to this domain. Further analysis could look for the specific pattern of an outbound POST request containing a large XML payload. This provides a high-confidence signature for this new class of AI-driven malware, allowing security teams to quickly identify and isolate compromised devices.

Sources & References

PromptSpy ushers in the era of Android threats using GenAI
WeLiveSecurity (welivesecurity.com)
ESET Research discovers PromptSpy, the first Android threat to use generative AI
ESET (eset.com)
PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence
The Hacker News (thehackernews.com)
Top 5 Cybersecurity News Stories February 20, 2026
DIESEC (diesec.com)
PromptSpy: The Rise of AI Powered Android Malware and What It Means for Cybersecurity
Insight Infosec (insight-infosec.com)

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

promptspyandroid malwaregenerative aigoogle geminimobile securityeset

📢 Share This Article

Help others stay informed about cybersecurity threats