In February 2026, ESET Research disclosed a novel Android malware family that marks a significant milestone in mobile threat evolution: PromptSpy — the first known Android threat to abuse generative artificial intelligence as part of its execution flow.
Traditionally, Android malware has relied on static techniques for persistence and automation that are brittle across diverse devices and OS versions. PromptSpy challenges this paradigm by integrating Google’s Gemini generative AI model into its logic, enabling more dynamic and adaptable interaction with the infected device’s user interface.
What Makes PromptSpy Unique
GenAI in the Malware Execution Flow
Unlike prior Android malware, PromptSpy does not merely use machine learning for classification or auxiliary tasks. Instead, it actively queries a generative AI model (Gemini) to interpret the device’s current UI layout and generate step-by-step instructions that guide malicious gestures.
Specifically:
- PromptSpy captures an XML dump of the current screen — including element positions and text — and sends it to Gemini along with crafted natural language prompts.
- Gemini responds with JSON instructions specifying user actions (e.g., exact tap coordinates) needed to achieve persistence — such as locking the malware’s app in the Android recent apps list. These instructions help the malware survive user attempts to close it.
This AI-assisted UI automation dramatically increases the malware’s resilience to differences in Android skins, launcher interfaces, and OS versions — challenges that typically break traditional hardcoded automation techniques.
Core Capabilities Beyond GenAI
While the generative AI component is used chiefly for persistence, PromptSpy’s full malicious capability includes a suite of dangerous functionalities:
- Remote Control via VNC: A built-in VNC (Virtual Network Computing) module allows attackers to remotely view and operate the victim’s device as if physically present.
- Accessibility Service Abuse: The malware leverages Android’s Accessibility Service to execute actions like screen reading, automated interactions, and blocking uninstall attempts using invisible overlays.
- Data Capture: PromptSpy can capture lockscreen credentials, take screenshots, and record video of user activity.
- Encrypted C&C: Communications with its command-and-control server use AES-encrypted channels over the VNC protocol, helping it evade straightforward network detection.
Infection Strategy and Distribution
PromptSpy has not been observed on the official Google Play platform. Instead, analysis shows it was distributed via dedicated phishing websites impersonating legitimate services, such as a bank login portal.
Once a user is lured into installing the malicious APK:
- The dropper APK initiates installation of the PromptSpy payload.
- Upon launch, PromptSpy requests Accessibility permissions under false pretenses, granting it broad control over UI interactions.
- It then enters a continuous loop of querying Gemini and executing the resulting tap/swipe instructions until persistence criteria are satisfied.
Because the malware uses localized cues and distribution patterns, researchers believe it may target specific regions — with indicators suggesting an initial focus on users in Argentina.
Why This Matters: Implications for Android Security
1. AI-Enhanced Adaptability
By offloading UI interpretation to a generative AI model, PromptSpy sidesteps the rigidity that often limits Android malware. This adaptability poses a major risk: malware can dynamically adjust to diverse devices without bespoke hardcoding for each variant.
2. Lower Barrier to Entry for Threat Actors
GenAI, accessible via cloud-hosted models like Gemini, removes complexity from building sophisticated malware logic. Attackers no longer need deep expertise in UI automation or device fragmentation to ensure persistence.
3. Proof of Concept or Emerging Trend?
Although PromptSpy has not yet been widely spotted in telemetry and may represent a proof-of-concept stage, its existence underscores a broader trend in which malicious use of generative AI is accelerating. Earlier examples include the PromptLock ransomware — another GenAI-leveraging threat discovered by ESET researchers.
Defensive Considerations
To mitigate such threats, defenders and platform security services should consider:
- Behavioral detection mechanisms that identify anomalous UI automation and accessibility abuse — which may reveal GenAI-driven malware actions.
- Enhanced phishing detection, as social engineering remains a leading vector for sideloaded Android malware.
- Runtime monitoring for unusual app behavior, such as encrypted remote connections and unauthorized UI control.
Keeping devices updated with the latest security patches and relying on robust mobile threat defense tools can help counter early variants of threats like PromptSpy.
Conclusion
PromptSpy heralds a new era in Android malware — one where generative AI is not merely a crafting tool for phishing content or social engineering messages, but an active component of the malware’s execution logic. Its discovery signals that cybercriminals are beginning to adopt sophisticated AI techniques to bypass traditional defenses, adapt to fragmented mobile ecosystems, and automate complex interactions once reserved for skilled developers.
As generative AI capabilities continue to evolve, defenders must anticipate and preempt similar innovations on the attacker side — reinforcing the need for AI-aware threat detection and cross-platform security strategies moving forward.
