PromptSpy Ushers in the Era of Android Threats Using GenAI
Summary:
PromptSpy is the first known Android malware family to weaponize a generative AI model, specifically Google’s Gemini, as part of its execution flow. PromptSpy was uncovered in February 2026 by researchers at ESET, following the vendor’s earlier identification of PromptLock in August 2025 as the first known AI-driven ransomware family. PromptSpy was uncovered by ESET researcher Lukas Stefanko and traces its origins to an earlier variant internally tracked as VNCSpy, with three samples first appearing on VirusTotal on January 13, 2026, uploaded from Hong Kong. By February 10, 2026, four samples of more advanced malware based on VNCSpy were uploaded to VirusTotal from Argentina, prompting ESET to designate the full family as PromptSpy. The malware is distributed under the guise of a Chase-themed Android application named “MorganArg” via a dedicated, now-offline distribution domain that impersonated a login portal for JPMorgan Chase Bank.
PromptSpy fundamentally departs from traditional Android malware by delegating UI navigation decisions to a generative AI model. Instead of relying on hardcoded screen coordinates or fixed UI selectors, the malware sends Gemini a natural-language prompt together with a full XML dump of the live screen, exposing each visible UI element’s text, class, and precise screen bounds. Gemini processes this context and returns structured JSON instructions describing exactly which taps, long-presses, or swipe gestures should be executed. These instructions are carried out through the Android Accessibility Service in a continuous feedback loop, where PromptSpy submits updated UI context after each action and proceeds only when Gemini confirms task completion. This mechanism is used to perform the device-specific “lock app in recent apps” gesture, pinning the malicious MorganArg application in the multitasking view so it cannot be easily swiped away or terminated. Although the AI model and its prompts are hardcoded and cannot be modified at runtime, the dynamic decision-making enabled by Gemini allows the malware to reliably navigate through different system interfaces.
Security Officer Comments:
By offloading UI interpretation and action planning to a generative AI model, PromptSpy can adapt to virtually any Android device, manufacturer skin, screen resolution, or OS version, significantly expanding its potential victim pool compared to script-based Android malware that routinely breaks when interface layouts change.
Beyond AI-assisted persistence, PromptSpy’s primary operational purpose is the deployment of a built-in VNC module that provides attackers with full remote, interactive access to the victim’s device over an AES-encrypted VNC communication channel. Once Accessibility Services are granted, the malware can capture lockscreen PINs and pattern unlocks, record screen activity, take on-demand screenshots, enumerate installed applications, and perform arbitrary user interactions remotely.
Suggested Corrections:
Debug strings and localized Accessibility event handlers written in simplified Chinese indicate, with medium confidence, that PromptSpy was developed in a Chinese‑speaking environment. To date, no infections have been observed in ESET’s telemetry. However, the existence of a dedicated distribution infrastructure and multiple staged malware samples suggests an intent to deploy PromptSpy in real-world attacks. ESET shared its findings with Google through the App Defense Alliance; Android users are automatically protected against known PromptSpy variants by Google Play Protect.
Link(s):
https://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai/
PromptSpy is the first known Android malware family to weaponize a generative AI model, specifically Google’s Gemini, as part of its execution flow. PromptSpy was uncovered in February 2026 by researchers at ESET, following the vendor’s earlier identification of PromptLock in August 2025 as the first known AI-driven ransomware family. PromptSpy was uncovered by ESET researcher Lukas Stefanko and traces its origins to an earlier variant internally tracked as VNCSpy, with three samples first appearing on VirusTotal on January 13, 2026, uploaded from Hong Kong. By February 10, 2026, four samples of more advanced malware based on VNCSpy were uploaded to VirusTotal from Argentina, prompting ESET to designate the full family as PromptSpy. The malware is distributed under the guise of a Chase-themed Android application named “MorganArg” via a dedicated, now-offline distribution domain that impersonated a login portal for JPMorgan Chase Bank.
PromptSpy fundamentally departs from traditional Android malware by delegating UI navigation decisions to a generative AI model. Instead of relying on hardcoded screen coordinates or fixed UI selectors, the malware sends Gemini a natural-language prompt together with a full XML dump of the live screen, exposing each visible UI element’s text, class, and precise screen bounds. Gemini processes this context and returns structured JSON instructions describing exactly which taps, long-presses, or swipe gestures should be executed. These instructions are carried out through the Android Accessibility Service in a continuous feedback loop, where PromptSpy submits updated UI context after each action and proceeds only when Gemini confirms task completion. This mechanism is used to perform the device-specific “lock app in recent apps” gesture, pinning the malicious MorganArg application in the multitasking view so it cannot be easily swiped away or terminated. Although the AI model and its prompts are hardcoded and cannot be modified at runtime, the dynamic decision-making enabled by Gemini allows the malware to reliably navigate through different system interfaces.
Security Officer Comments:
By offloading UI interpretation and action planning to a generative AI model, PromptSpy can adapt to virtually any Android device, manufacturer skin, screen resolution, or OS version, significantly expanding its potential victim pool compared to script-based Android malware that routinely breaks when interface layouts change.
Beyond AI-assisted persistence, PromptSpy’s primary operational purpose is the deployment of a built-in VNC module that provides attackers with full remote, interactive access to the victim’s device over an AES-encrypted VNC communication channel. Once Accessibility Services are granted, the malware can capture lockscreen PINs and pattern unlocks, record screen activity, take on-demand screenshots, enumerate installed applications, and perform arbitrary user interactions remotely.
Suggested Corrections:
Debug strings and localized Accessibility event handlers written in simplified Chinese indicate, with medium confidence, that PromptSpy was developed in a Chinese‑speaking environment. To date, no infections have been observed in ESET’s telemetry. However, the existence of a dedicated distribution infrastructure and multiple staged malware samples suggests an intent to deploy PromptSpy in real-world attacks. ESET shared its findings with Google through the App Defense Alliance; Android users are automatically protected against known PromptSpy variants by Google Play Protect.
Link(s):
https://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai/