Key Findings:

• PromptSpy is the first known Android malware to abuse Google's Gemini AI to maintain persistence on infected devices

• It can capture lockscreen data, block uninstallation attempts, collect device information, take screenshots, and record screen activity as video

• The malware leverages Gemini AI to analyze the current screen and provide it with step-by-step instructions on how to remain pinned in the recent apps list, preventing easy removal

Background

ESET researchers have uncovered PromptSpy, the first Android malware known to exploit Google's Gemini AI to achieve persistence on infected devices. This marks a concerning evolution in AI-assisted mobile threats, following the discovery of PromptLock in 2025, the first AI-driven ransomware.

Gemini AI Integration

PromptSpy uses Gemini AI in a limited but clever way to stay persistent on the device. Instead of relying on fixed screen taps or coordinates, which often fail across different Android versions and device layouts, the malware sends Gemini a text prompt plus an XML dump of the current screen. This gives the AI a full view of buttons, text, and positions. Gemini then replies with JSON instructions telling the malware where to tap. PromptSpy repeats the process until the app is successfully locked in the recent apps list, preventing easy removal.

Malware Capabilities

In addition to maintaining persistence, PromptSpy is equipped with a range of malicious capabilities, including:

• Deploying a VNC module for remote control

• Abusing Accessibility Services to block removal

• Capturing lockscreen data

• Recording video of screen activity

• Using encrypted C2 communications

Distribution and Targeting

The malware campaign appears to be financially motivated and primarily targets users in Argentina. Evidence suggests it was likely developed in a Chinese-speaking environment, with debug strings in simplified Chinese and functions handling Chinese Accessibility events.

PromptSpy is distributed through a dedicated website rather than Google Play, and Google Play Protect can block known versions of it. A related phishing app, likely from the same actor, helps deliver the final payload.

Significance and Implications

PromptSpy represents a new evolution in Android malware, demonstrating how threat actors are beginning to leverage generative AI tools to make their creations more dynamic and adaptable. By using Gemini AI to interpret on-screen elements and determine the necessary interaction steps, the malware can persist across a wide range of devices and Android versions, expanding the potential victim pool.

This case illustrates the growing risks of AI-powered malware and the need for continued vigilance and innovation in mobile security.

Sources

• https://securityaffairs.com/188261/ai/promptspy-abuses-gemini-ai-to-gain-persistent-access-on-android.html

• https://thehackernews.com/2026/02/promptspy-android-malware-abuses-google.html

• https://www.securityweek.com/promptspy-android-malware-abuses-gemini-ai-at-runtime-for-persistence/

• https://www.helpnetsecurity.com/2026/02/19/promptspy-android-malware-generative-ai/