PromptSpy Android Malware Uses Google Gemini for AI-Assisted Persistence
What happened
ESET researchers discovered PromptSpy, the first known Android malware family to use generative AI as part of its execution flow. ESET researcher Lukas Stefanko identified the malware, which uses Google’s Gemini model to help the malware adapt its behavior across different Android devices.
PromptSpy appears to have evolved from an earlier Android malware variant called VNCSpy. Early samples were uploaded to VirusTotal from Hong Kong in January 2026, while later Gemini-enabled samples were uploaded from Argentina in February. ESET said the activity appears financially motivated and primarily targeted users in Argentina.
The malware was distributed as a fake Chase Bank-themed Android app called MorganArg through the now-offline domain mgardownload[.]com. The app impersonated a JPMorgan Chase login portal and was not found on Google Play.
PromptSpy’s key innovation is its use of Gemini for dynamic UI manipulation. After gaining Accessibility permissions, the malware captures an XML dump of the victim’s live screen layout, including visible text, UI element types, and screen positions. It then sends that context to Gemini with a prompt asking how to perform the gesture needed to lock the malicious app in the recent apps menu. Gemini returns JSON-formatted tap and swipe instructions, allowing PromptSpy to adapt to different Android versions, screen sizes, and manufacturer interfaces.
Beyond AI-assisted persistence, PromptSpy deploys a VNC module that gives attackers remote control of the infected device. It can record screen activity, take screenshots, collect device information, monitor the foreground app, capture lockscreen PINs or patterns, and block uninstallation attempts.
Who is affected
Android users who install the fake MorganArg app or similar sideloaded APKs are directly affected.
The campaign appears focused on users in Argentina, but the technique could be reused against other regions, banks, brands, or mobile fraud targets.
Organizations may also be affected if employees use unmanaged Android devices for banking, MFA, messaging, password recovery, or business access and can install apps from outside official app stores.
Why CISOs should care
PromptSpy matters because it shows how mobile malware can use generative AI for runtime decision-making. Instead of relying only on hardcoded gestures or fixed UI selectors, the malware asks an AI model to interpret the current screen and generate instructions.
For CISOs, this makes mobile malware more adaptable. Android fragmentation has historically made automated abuse harder because devices vary by vendor, launcher, interface, and OS version. PromptSpy reduces that problem by outsourcing UI interpretation to Gemini.
The VNC module also raises the risk. If attackers can view and control the device remotely, they may be able to interact with banking apps, capture unlock credentials, monitor MFA prompts, and operate inside a trusted mobile session.
The campaign also reinforces the importance of sideloading controls. PromptSpy was distributed outside Google Play, which means mobile device management, app vetting, and user education remain central defenses.
3 practical actions
Block sideloading on managed Android devices: Organizations should prevent installation from unknown sources and restrict APK installs outside approved app stores.
Monitor Accessibility abuse: Security teams should flag apps requesting Accessibility Services, screen recording, overlay behavior, notification access, or VNC-like remote-control capabilities without a legitimate business reason.
Protect mobile banking and MFA workflows: CISOs should treat compromised mobile devices as account takeover risks, especially when phones are used for banking, push approvals, authenticator apps, or password recovery.
Recent cybersecurity news:


