PromptSpy ushers in the era of Android threats using GenAI

ESET researchers have discovered the first instance of Android malware using generative AI for context-aware user interface manipulation. This new malware family, named PromptSpy, prompts an AI model (Google’s Gemini) to guide malicious UI manipulation, allowing the attackers to adapt to various devices, layouts, and OS versions. PromptSpy is the second AI-powered malware discovered, following PromptLock in August 2025, which was the first known case of AI-driven ransomware.

Although the use of generative AI in PromptSpy’s code is limited to achieving persistence, it significantly impacts the malware’s adaptability. Gemini analyzes the current screen and provides step-by-step instructions to ensure the malicious app remains pinned in the recent apps list, making it difficult to remove. The main purpose of PromptSpy is to deploy a VNC module for remote access to the victim’s device and perform various malicious actions.

This campaign is financially motivated and appears to target users in Argentina, with clues suggesting development in a Chinese-speaking environment. PromptSpy is distributed through a dedicated website and has not been available on Google Play. However, Google Play Protect automatically protects Android users against known versions of this malware.

Key points:

  • PromptSpy is the first Android malware to utilize generative AI, primarily for achieving persistence.
  • Google’s Gemini provides dynamic instructions for malicious UI manipulation on compromised devices.
  • Aside from AI, PromptSpy deploys a VNC module for remote access and performs various malicious actions.
  • PromptSpy has not been observed widely, suggesting it may be a proof of concept targeting users in Argentina.
  • PromptSpy can capture data, block uninstallation, gather device info, take screenshots, record videos, and more.

PromptSpy’s AI-powered functionality

PromptSpy incorporates Gemini AI to automate actions that would be challenging with traditional scripting, enhancing its adaptability across devices and OS versions. By sending natural-language prompts and screen details to Gemini, the malware receives instructions on actions to perform, enabling it to stay embedded in the recent apps list.

Figure 1 shows a code snippet of PromptSpy’s communication with Gemini, demonstrating how the AI instructs the malware to perform specific actions on the device’s UI elements.

PromptSpy overview

In February 2026, ESET discovered two versions of a new Android malware family, PromptSpy, using Gemini AI for malicious activities. The malware has not been widely observed, indicating it may be in the proof of concept stage.

Nevertheless, considering the potential distribution domain outlined in the subsequent paragraphs, we cannot rule out the presence of the PromptSpy dropper and PromptSpy in the wild.

Based on VirusTotal data, all four PromptSpy dropper samples were distributed through the now-offline website mgardownload[.]com.

Upon installation and execution of the PromptSpy dropper, a webpage hosted on m‑mgarg[.]com was opened, resembling a Chase Bank site. Although this domain was also offline, a cached version by Google indicated its fraudulent nature (refer to Figure 2).

Figure 2. Google’s cached data for the fake website
Figure 2. Google’s cached data for the fake website

Utilizing the m-mgarg[.]com domain for further investigation in VirusTotal led to the discovery of another Android malware sample (Android/Phishing.Agent.M), posing as a bank website in Spanish (see Figure 4).

Figure 4. User interface of Android Phishing Agent M
Figure 4. User interface of Android/Phishing.Agent.M displaying the same fake website as PromptSpy dropper (source: https://www.virustotal.com/gui/file/4ee3b09dd9a787ebbb02a637f8af192a7e91d4b7af1515d8e5c21e1233f0f1c7/)

This trojan, possibly related to VNCSpy and PromptSpy, resembles a companion app developed by the same threat actor. The malware contacts a server for a configuration file, aiming to deceive victims into installing another APK under the guise of an update, hinting at a potential connection to PromptSpy.

Both VNCSpy and PromptSpy grant full remote access to compromised devices once Accessibility Services are enabled, allowing malicious operators to monitor and control the device. PromptSpy enhances this capability with AI-assisted UI manipulation to ensure its persistence (refer to Figure 6).

Figure 6. Not locked (left) and locked (right) MorganArg app in the list of recent apps
Figure 6. Not locked (left) and locked (right) MorganArg app in the list of recent apps, with the padlock icon representing the lock

This functionality likely prevents the PromptSpy activity from being terminated before establishing a VNC session, as showcased in Figure 7, depicting PromptSpy’s network communication with Gemini AI.

Figure 7. Network communication of malware and Gemini (1)
Figure 7. Network communication of malware and Gemini with prompt request and response shown in red rectangles

Origins

Analysis of PromptSpy revealed debug strings in simplified Chinese, indicating a Chinese-speaking development environment, further supported by handling for Chinese Accessibility event types (refer to Figure 8).

Figure 8. Parsing and logging various event types
Figure 8. Parsing and logging various event types

With moderate certainty, these findings suggest that PromptSpy’s origin lies within a Chinese-speaking context.

Analysis

Our analysis delves into the PromptSpy dropper and its payload, PromptSpy, embedded within the dropper’s asset directory as app-release.apk. The payload encompasses the core malicious functionalities, presented to users as an apparent app update, necessitating manual installation (see Figure 9).

Figure 9. Malware’s initial screen that requests to install PromptSpy payload
Figure 9. Malware’s initial screen that requests to install PromptSpy payload

Following installation, PromptSpy solicits Accessibility Service permissions, enabling the malware to scan on-screen content and execute automated clicks.

Subsequently, PromptSpy displays a simplistic loading-style decoy screen in the foreground (refer to Figure 10). In the background, PromptSpy communicates with Gemini AI to acquire instructions necessary to lock its process in the Recent Apps list, a basic persistence technique that enables PromptSpy to remain active and locked even after the device is rebooted.

As the user encounters the “Loading, please wait” activity, PromptSpy utilizes Accessibility Services to access the Recent Apps screen and gather detailed UI information such as visible text, content descriptions, class names, package names, and screen bounds. This dynamic UI snapshot is serialized as XML and included in the prompt sent to Gemini. Gemini then responds with step-by-step tap instructions on how to perform the “app lock” gesture.

This process creates a continuous loop where PromptSpy updates the UI context to Gemini, Gemini provides new actions, PromptSpy executes them, and then returns the resulting screen state. This loop continues until Gemini confirms that the app is successfully locked in recent apps.

All actions instructed by Gemini, including taps, swipes, and navigation, are carried out through Accessibility Services, allowing the malware to interact with the device without requiring user input.

PromptSpy’s primary malicious feature lies in its built-in VNC service, enabling attackers to remotely view the victim’s screen in real time and exert full control over the device.

The malware communicates with its hardcoded command-and-control (C&C) server at 54.67.2[.]84 using the VNC protocol, with messages encrypted using a hardcoded key. Through this channel, the malware can receive a Gemini API key, upload the list of installed apps, intercept lockscreen credentials, capture pattern unlock screens, report screen status and foreground apps, record screens and gestures, and take screenshots on demand.

Furthermore, PromptSpy misuses Accessibility Services as an anti-removal mechanism by overlaying transparent rectangles on specific screen areas to hinder uninstallation attempts. These overlays intercept interactions, making removal challenging. To remove PromptSpy, the victim must reboot the device into Safe Mode, where third-party apps can be uninstalled normally.

In conclusion, PromptSpy highlights the evolving sophistication of Android malware, utilizing generative AI to adapt and interact with on-screen elements dynamically. By leveraging AI for real-time decision-making, malware like PromptSpy can overcome UI changes and persist on devices effectively. This campaign underscores the potential of generative AI to enhance malware capabilities and poses new challenges for cybersecurity. Have you heard of PromptSpy? It’s one of the early examples of generative AI-powered Android malware, showcasing how quickly attackers are leveraging AI tools to enhance their impact.

If you’re interested in diving deeper into our research on WeLiveSecurity, feel free to reach out to us at threatintel@eset.com. Additionally, ESET Research provides private APT intelligence reports and data feeds. For more information on this service, visit the ESET Threat Intelligence page.

For a comprehensive list of indicators of compromise (IoCs) and samples related to PromptSpy, you can check out our GitHub repository.

In terms of files associated with PromptSpy, here are some key details:

– SHA-1: 6BBC9AB132BA066F63676E05DA13D108598BC29B
– Filename: net.ustexas.myavlive.apk
– Detection: Android/Spy.VNCSpy.A
– Description: Android VNCSpy malware

– SHA-1: 375D7423E63C8F5F2CC814E8CFE697BA25168AFA
– Filename: nlll4.un7o6.q38l5.apk
– Detection: Android/Spy.VNCSpy.A
– Description: Android VNCSpy malware

And the list goes on with various other files and their corresponding details related to PromptSpy.

Looking at the network associated with PromptSpy, here are some noteworthy points:

– IP: 52.222.205.45
– Domain: m-mgarg.com
– Hosting provider: Amazon.com, Inc.
– Details: Phishing website

– IP: 54.67.2.84
– Hosting provider: Amazon.com, Inc.
– Details: C&C server

The MITRE ATT&CK techniques used by PromptSpy include various tactics like Persistence, Defense Evasion, Credential Access, Discovery, Collection, Command and Control, and Exfiltration. Each tactic is linked to specific techniques that PromptSpy utilizes to carry out its malicious activities.

To learn more about how PromptSpy ushers in a new era of Android threats using AI, visit the ESET Threat Intelligence page.

[Image: ESET Threat Intelligence]

This engaging content has been seamlessly integrated into a WordPress platform, ensuring a smooth reading experience for our audience. Please provide the sentence that you would like me to rewrite.

Leave a Reply

Your email address will not be published. Required fields are marked *