PromptSpy: First Android Malware to Weaponize Generative AI

A New Class of Mobile Threat

ESET Research has published findings on PromptSpy, the first documented Android malware family to integrate generative AI into its execution flow. Unlike traditional mobile malware that relies on hardcoded UI automation scripts, PromptSpy queries Google's Gemini AI at runtime to dynamically navigate the infected device's interface — adapting to any manufacturer, Android version, or screen layout.

The discovery marks a paradigm shift: malware that can think its way through a device rather than following predetermined paths.

How PromptSpy Uses Gemini

The malware's core innovation is replacing brittle UI automation with AI-driven navigation:

Traditional Android Malware

1. Hardcode screen coordinates and UI element IDs
2. Break when device manufacturer changes UI layout
3. Break when Android version updates rearrange settings
4. Require manual updates for each new device/OS combination

PromptSpy's AI Approach

1. Capture current screen state
2. Send screen context to Gemini API
3. Receive step-by-step navigation instructions
4. Execute instructions dynamically
5. Adapt to ANY device, layout, or OS version automatically

This means PromptSpy can maintain persistence on devices it has never seen before, because Gemini provides real-time guidance based on the actual screen content.

Primary Capabilities

Capability	Description
VNC Remote Access	Deploys a built-in VNC module giving operators full remote device control
Lock Screen Capture	Captures lock screen credentials
Uninstall Blocking	Uses AI-guided navigation to prevent the user from removing the app
Screenshot Capture	Takes screenshots of the current display
Screen Recording	Records screen activity as video
Device Reconnaissance	Gathers comprehensive device information
Recent Apps Persistence	Uses Gemini to keep the malicious app pinned in the recent apps list

Technical Deep Dive

AI-Driven Persistence Mechanism

The most notable use of Gemini is for persistence. PromptSpy prompts the AI model to analyze the current screen and provide instructions on how to ensure the malicious app remains pinned in the recent apps list, preventing it from being swiped away or killed by the system's memory management.

Two Known Variants

ESET identified two versions of PromptSpy:

Variant	Key Differences
Version 1	Basic Gemini integration, VNC module, screen capture
Version 2	Enhanced persistence, additional data exfiltration capabilities, refined AI prompts

Distribution

Distributed through a dedicated website (not Google Play)
A likely distribution domain suggests a variant targeting users in Argentina
Not yet observed in ESET telemetry in the wild — may still be in proof-of-concept or limited deployment stage

Why This Matters

The Scalability Problem

Traditional Android malware requires developers to maintain scripts for hundreds of device-manufacturer combinations. PromptSpy eliminates this entirely — the AI handles device-specific navigation automatically, dramatically expanding the pool of potential victims.

Defense Evasion

By using a legitimate API (Gemini) for its navigation logic, PromptSpy's malicious behavior is harder to fingerprint. The malware's actions appear as standard API calls to a Google service rather than suspicious automated UI interactions.

A Blueprint for Future Threats

Even if PromptSpy itself remains limited in deployment, it demonstrates a replicable technique that other threat actors will adopt. The pattern of using generative AI for runtime adaptation applies to:

Banking trojans that need to navigate banking app interfaces
Spyware that must access specific settings to grant itself permissions
Ransomware that needs to navigate to disable security features

Defense Recommendations

For Users

Only install apps from Google Play — PromptSpy is distributed via third-party websites
Keep Google Play Protect enabled — It provides runtime scanning for malicious behavior
Review app permissions carefully — VNC and accessibility service permissions are red flags
Monitor data usage — VNC and screen recording generate unusual network traffic

For Security Teams

Monitor for unusual Gemini API calls from mobile devices in your fleet
Deploy mobile threat defense (MTD) solutions that detect accessibility service abuse
Block sideloading on managed devices via MDM policy
Update threat intelligence to include PromptSpy IOCs from ESET's report

Key Takeaways

First AI-powered Android malware — PromptSpy uses Gemini to navigate device UIs dynamically
Device-agnostic persistence — Works on any manufacturer, Android version, or screen layout
VNC remote access is the primary payload — Full device control for the operator
Not yet widespread — But the technique is a proven blueprint for future threats
Sideloading is the vector — Google Play users are not currently at risk

Sources

A New Class of Mobile Threat

The discovery marks a paradigm shift: malware that can think its way through a device rather than following predetermined paths.

How PromptSpy Uses Gemini

The malware's core innovation is replacing brittle UI automation with AI-driven navigation:

Traditional Android Malware

1. Hardcode screen coordinates and UI element IDs
2. Break when device manufacturer changes UI layout
3. Break when Android version updates rearrange settings
4. Require manual updates for each new device/OS combination

PromptSpy's AI Approach

1. Capture current screen state
2. Send screen context to Gemini API
3. Receive step-by-step navigation instructions
4. Execute instructions dynamically
5. Adapt to ANY device, layout, or OS version automatically

This means PromptSpy can maintain persistence on devices it has never seen before, because Gemini provides real-time guidance based on the actual screen content.

Primary Capabilities

Capability	Description
VNC Remote Access	Deploys a built-in VNC module giving operators full remote device control
Lock Screen Capture	Captures lock screen credentials
Uninstall Blocking	Uses AI-guided navigation to prevent the user from removing the app
Screenshot Capture	Takes screenshots of the current display
Screen Recording	Records screen activity as video
Device Reconnaissance	Gathers comprehensive device information
Recent Apps Persistence	Uses Gemini to keep the malicious app pinned in the recent apps list

Technical Deep Dive

AI-Driven Persistence Mechanism

Two Known Variants

ESET identified two versions of PromptSpy:

Variant	Key Differences
Version 1	Basic Gemini integration, VNC module, screen capture
Version 2	Enhanced persistence, additional data exfiltration capabilities, refined AI prompts

Distribution

Distributed through a dedicated website (not Google Play)
A likely distribution domain suggests a variant targeting users in Argentina
Not yet observed in ESET telemetry in the wild — may still be in proof-of-concept or limited deployment stage

Why This Matters

The Scalability Problem

Defense Evasion

A Blueprint for Future Threats

Banking trojans that need to navigate banking app interfaces
Spyware that must access specific settings to grant itself permissions
Ransomware that needs to navigate to disable security features

Defense Recommendations

For Users

Only install apps from Google Play — PromptSpy is distributed via third-party websites
Keep Google Play Protect enabled — It provides runtime scanning for malicious behavior
Review app permissions carefully — VNC and accessibility service permissions are red flags
Monitor data usage — VNC and screen recording generate unusual network traffic

For Security Teams

Monitor for unusual Gemini API calls from mobile devices in your fleet
Deploy mobile threat defense (MTD) solutions that detect accessibility service abuse
Block sideloading on managed devices via MDM policy
Update threat intelligence to include PromptSpy IOCs from ESET's report

Key Takeaways

First AI-powered Android malware — PromptSpy uses Gemini to navigate device UIs dynamically
Device-agnostic persistence — Works on any manufacturer, Android version, or screen layout
VNC remote access is the primary payload — Full device control for the operator
Not yet widespread — But the technique is a proven blueprint for future threats
Sideloading is the vector — Google Play users are not currently at risk

A New Class of Mobile Threat

How PromptSpy Uses Gemini

Traditional Android Malware

PromptSpy's AI Approach

Primary Capabilities

Technical Deep Dive

AI-Driven Persistence Mechanism

Two Known Variants

Distribution

Why This Matters

The Scalability Problem

Defense Evasion

A Blueprint for Future Threats

Defense Recommendations

For Users

For Security Teams

Key Takeaways

Sources

Related Reading

A New Class of Mobile Threat

How PromptSpy Uses Gemini

Traditional Android Malware

PromptSpy's AI Approach

Primary Capabilities

Technical Deep Dive

AI-Driven Persistence Mechanism

Two Known Variants

Distribution

Why This Matters

The Scalability Problem

Defense Evasion

A Blueprint for Future Threats

Defense Recommendations

For Users

For Security Teams

Key Takeaways

Sources

Related Reading