ESET researchers have documented PromptSpy, a new Android malware family that stands out as the first publicly known mobile threat to directly invoke a generative AI model during runtime. By integrating the cloud-based Google Gemini API, the malware adapts to different Android user interfaces, strengthens its persistence, and significantly complicates detection and removal.
From VNCSpy to PromptSpy: Rapid Evolution of an Android Spyware Family
According to ESET’s analysis, PromptSpy is an evolved variant of a previously undocumented strain referred to as VNCSpy. Initial VNCSpy samples were submitted to VirusTotal on 13 January 2026 from Hong Kong. Less than a month later, on 10 February, four more advanced PromptSpy samples appeared on the platform, uploaded from Argentina. This short timeline indicates a fast-paced development cycle and an active malware authoring team.
Localization artifacts point to a primary focus on Spanish-speaking users in Argentina. The fake update screens are in Spanish, and the distribution infrastructure targets Spanish-language audiences. At the same time, debug strings in Simplified Chinese have been found in the code, suggesting that the development environment or original authors may be Chinese-speaking. Analysts assess the attackers’ motivation as predominantly financial, with a clear interest in harvesting credentials and monetizable data.
How PromptSpy Uses Google Gemini to Pin Itself in Android
PromptSpy’s most distinctive capability is its use of Google Gemini to automate interaction with the Android user interface. Many Android skins allow apps to be “pinned” in the recent apps list. Pinned applications are less likely to be killed by the system when memory is cleared or when the user taps “Clear all”, which makes this mechanism attractive for both legitimate background services and persistent malware.
AI-Guided UI Navigation Across Fragmented Android Devices
The main challenge for attackers is that this “pinning” process differs across devices, Android versions, and vendor skins. Hardcoding coordinates or widget identifiers for every possible model is impractical. PromptSpy solves this using generative AI: it captures an XML dump of the current screen, including UI elements, text labels, class names, and coordinates, and sends this structured snapshot to Gemini along with a carefully crafted prompt.
Gemini processes the context and returns a JSON response describing which elements to tap and where. PromptSpy then leverages the Android Accessibility Service to simulate user interactions accordingly. After each action, it collects an updated screen dump, sends it back to Gemini, and repeats the loop until the model confirms that the app has been successfully pinned in the recent apps list. The API key for Gemini is retrieved dynamically from a command-and-control (C2) server at 54.67.2[.]84, avoiding static storage inside the APK and complicating static analysis.
Full Remote Control: VNC-Based Android Spyware Capabilities
Beyond its AI component, PromptSpy functions as a fully featured Android spyware and remote access trojan (RAT). It embeds a VNC (Virtual Network Computing) module that grants operators real-time remote viewing and control of the victim’s screen. With Accessibility permissions in place, attackers can interact with the device almost as if it were in their hands.
Documented features include interception of device PIN codes and lockscreen passwords, capture of pattern unlock gestures, on-demand screenshots, and exfiltration of the list of installed applications and the current UI state. This toolkit makes PromptSpy highly effective for stealing banking credentials, cryptocurrency wallet access data, corporate login details, and other sensitive information, similar to the way earlier Android banking trojans such as Cerberus or FluBot abused overlay and Accessibility techniques.
Self-Protection and Why Removing PromptSpy Is Difficult
PromptSpy also implements robust anti-removal mechanisms. ESET observed that users attempting to uninstall the app or revoke granted permissions are silently blocked. The malware draws invisible, transparent overlays on top of critical system buttons such as “Uninstall” or “Force stop”. As a result, the victim believes they are tapping system controls, but in reality they are interacting with a decoy layer that performs no action.
At the time of analysis, the only reliable way to remove PromptSpy was to reboot the device into Android Safe Mode, where third‑party apps do not run. From there, the user can uninstall the malicious application via the standard settings interface. This behavior mirrors longstanding techniques used by desktop rootkits and advanced Windows trojans that prevent their own deletion.
Infection Chain: Phishing Websites and Fake Android Updates
ESET attributes the distribution of PromptSpy to the domain mgardownload[.]com. After installation of an initial dropper, the user is redirected to m-mgarg[.]com, a site visually mimicking an online resource of JPMorgan Chase. On this page, victims are urged to enable installation of apps from unknown sources, under the pretext of a security update or required banking component.
Once the user complies, the dropper silently downloads a configuration file containing the URL of the PromptSpy payload. The final malicious APK is disguised as a legitimate update package, lowering suspicion. While it remains unclear whether PromptSpy has already been used in large-scale, in-the-wild campaigns, the presence of dedicated domains, phishing infrastructure, and complex Gemini integration strongly suggests that it is intended for real-world fraud operations rather than as a simple proof of concept.
PromptSpy illustrates a new phase in the evolution of mobile malware: generative AI is no longer limited to producing phishing text or code snippets but is embedded directly into the attack logic. By delegating UI navigation to models like Gemini, attackers can effectively bypass Android fragmentation, adapt dynamically to vendor-specific interfaces, and automate tasks that previously required manual tuning for each device. To counter this shift, organizations and individuals should tighten policies on sideloaded applications, restrict Accessibility permissions to strictly necessary, vetted apps, ensure staff know how to reboot devices into Safe Mode, and deploy modern MDM and mobile EDR solutions capable of detecting abuse of Accessibility and suspicious network traffic to AI endpoints. Strengthening mobile security governance is becoming critical to keep pace with rapidly evolving, AI-enabled threats.
