A piece of Android malware called PromptSpy does something no malware has done before: it asks Google's Gemini AI for instructions in real time, then follows them.
ESET researcher Lukáš Štefanko disclosed the finding on February 19. PromptSpy is the first known Android malware to integrate a generative AI model into its runtime execution loop. Not to generate phishing emails. Not to write code. To navigate the phone it's infecting.
Here's the mechanism. PromptSpy captures an XML dump of whatever is currently on the phone's screen — every button, text label, and tap target, with exact coordinates. It sends that dump to Google's Gemini along with a natural-language prompt that assigns the AI the persona of an "Android automation assistant." Gemini responds with JSON instructions: tap here, swipe there, long-press this. PromptSpy executes the gestures through Android's Accessibility Services. Then it captures the new screen state and asks again.
The loop repeats until the malware achieves its objective: pinning itself in the recent apps list so the system can't kill it and the user can't swipe it away.
This is not a sophisticated concept. It's a ruinous one.
Traditional Android malware hardcodes UI interactions. It knows the exact pixel coordinates of the "Allow" button on a Samsung Galaxy S24 running Android 15. If the victim has a different phone, a different OS version, a different language, a different screen size — the malware breaks. Building malware that works across Android's 24,000+ distinct device models has always required enormous manual effort.
PromptSpy eliminates that work entirely. "Leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version," Štefanko wrote, "which can greatly expand the pool of potential victims."
The malware does more than persist. It deploys a VNC module that gives attackers full remote control. It intercepts lockscreen PINs and passwords. It records pattern unlocks as video. It takes screenshots. And when you try to uninstall it, it overlays transparent rectangles over the uninstall button — invisible to you, impenetrable to your taps. Removal requires rebooting into Safe Mode.
Three samples of an earlier version called VNCSpy appeared on VirusTotal on January 13, uploaded from Hong Kong. The advanced PromptSpy variant — four samples — was uploaded from Argentina on February 10. ESET found no infections in its telemetry. The distribution domain, now offline, impersonated JPMorgan Chase under the name "MorganArg." Debug strings in the code are in simplified Chinese.
Google's response: "Android users are automatically protected against known versions of this malware by Google Play Protect." PromptSpy was never on the Play Store.
The Gemini API key arrives from a command-and-control server, not hardcoded in the binary. The malware stores conversation history — its own prompts and Gemini's responses — so each new instruction builds on the last. Multi-step interactions. Context windows. Memory. The same architecture that makes chatbots useful makes this malware adaptive.
ESET flagged a second finding: PromptLock, described as the first AI-powered ransomware payload. NYU students later contacted ESET to clarify it was their proof-of-concept research project. ESET updated its communications but maintained the label "first known case of AI-powered ransomware."
What makes PromptSpy different from PromptLock — and from every AI-in-malware prediction made over the past three years — is that it works. Not in a lab. On real phones, using a real commercial API, with a real distribution infrastructure imitating a real bank. The gap between proof-of-concept and proof-of-intent is a single domain registration.
The generative AI portion is a small fraction of PromptSpy's total code. But it solves the hardest problem in mobile malware: device fragmentation. Every new Android skin, every OEM customization, every accessibility setting — Gemini navigates them all. Write once, infect anything.
Security researchers have spent years warning that attackers would weaponize generative AI. Most predictions focused on phishing, social engineering, code generation. Nobody predicted the first real-world use would be asking a chatbot to tap buttons on a stolen phone.
The malware doesn't need Gemini to be malicious. It needs Gemini to be helpful.
Building AI tools that actually help? Check out my prompt engineering packs — battle-tested prompts for developers.
Top comments (0)