PromptSpy: The First Android Malware Weaponizing Generative AI at Runtime — Full Attack Breakdown

Android malware just leveled up. On February 19, 2026, ESET researchers published findings on PromptSpy — the first known Android malware to plug a generative AI model directly into its execution flow. It uses Google's Gemini to read the screen, figure out what to tap, and keep itself alive across any device it lands on. No hardcoded coordinates. No brittle scripts. Just an LLM making real-time decisions about how to interact with your phone. Here's exactly how it works, why it matters, and what it signals about where mobile threats are headed.

For years, mobile malware authors have dealt with a frustrating problem: Android is fragmented. Samsung's UI looks different from Xiaomi's, which looks different from Pixel's stock Android, which looks different from whatever OnePlus is doing this year. When your malware depends on tapping specific buttons at specific screen coordinates, every new device skin or OS update can break your entire operation. The conventional approach has been hardcoded scripts — rigid, fragile, and limited to the devices the attacker tested against. PromptSpy throws that entire approach out the window. Instead of hardcoded UI interactions, it hands Google's Gemini a snapshot of whatever is on screen and asks, "What do I tap next?" The AI figures it out in real time. That's not theoretical. That's working malware, in the wild, using a commercially available LLM to make autonomous decisions on a compromised device.

The Discovery: From VNCSpy to PromptSpy

The story begins in January 2026. ESET researcher Lukáš Štefanko identified a previously unknown Android malware family that he named VNCSpy. Three samples appeared on VirusTotal on January 13th, uploaded from Hong Kong. VNCSpy was a capable piece of spyware on its own — a VNC-based remote access tool that could take over an infected device — but it didn't contain anything particularly novel in its technique.

Then on February 10th, four new samples were uploaded to VirusTotal from Argentina. These were based on VNCSpy's codebase but had been significantly upgraded. The new version contained something researchers had never seen before in Android malware: a module that calls Google's Gemini API during execution to guide the malware's on-device behavior. ESET named this evolved variant PromptSpy — a nod to the fact that the entire attack hinges on prompting an AI model.

It's worth noting that ESET hasn't yet observed PromptSpy in their own telemetry data, meaning it may still be in a proof-of-concept phase. But as Štefanko pointed out, the existence of a dedicated distribution domain and a fake banking website suggests this isn't purely experimental.

"Still, because there appears to be a dedicated domain that was used to distribute them, and fake bank website, we can't rule out the possibility that both the dropper and PromptSpy are or were in the wild." — Lukáš Štefanko, ESET Researcher

The AI Engine: How Gemini Drives the Attack

Here's where PromptSpy breaks new ground. The malware's goal with the AI component is specific: achieve persistence by locking itself into the Android Recent Apps list. On many Android devices, you can "pin" or "lock" an app in the recent apps view, represented by a small padlock icon. A locked app won't be killed during memory cleanup, won't disappear when the user taps "Clear all," and survives device reboots. For a legitimate app, this is a convenience feature. For malware, it's a persistence goldmine.

The problem for attackers is that the gesture required to lock an app varies wildly between manufacturers. It might be a long-press on one device, a swipe-and-tap on another, or a menu option buried somewhere else entirely. There's no universal method. Traditional malware handles this with device-specific scripts — an approach that scales badly and breaks constantly.

PromptSpy's solution is elegant in a disturbing way. It has a hardcoded system prompt baked into the code that assigns Gemini the role of an "Android automation assistant." When it needs to achieve persistence, it does the following:

1. Screen capture via Accessibility Services: PromptSpy uses its Accessibility permissions to open the Recent Apps screen and collect a detailed snapshot of every visible UI element — text labels, class types, content descriptions, package names, and exact screen coordinates. All of this is serialized into an XML document.
2. Prompt construction: The malware sends Gemini a natural-language prompt that includes the XML screen dump and a goal statement: lock the MorganArgs app in the recent apps list (note: the prompt uses "MorganArgs" while the actual app is named "MorganArg" — a minor inconsistency in the malware's code). The prompt includes the device model for context.
3. AI-generated instructions: Gemini processes the screen data and returns JSON-formatted instructions specifying exactly what action to perform — a tap, long-press, or swipe — along with precise X/Y coordinates.
4. Execution loop: PromptSpy executes the instructed action through Accessibility Services, captures the resulting screen state, and sends it back to Gemini. This loop continues until Gemini confirms the app has been successfully locked.

The prompt itself is instructive. It tells Gemini not to guess whether the task is complete and only to return a "COMPLETED" status when there is clear visual evidence of success in the UI XML. If the last action hasn't been reflected on screen yet, it should return "IN_PROGRESS" with no action and wait for the next screen state. This isn't some sloppy proof-of-concept prompt. The authors built in verification logic to make sure the AI doesn't hallucinate success.

Here's a sanitized version of the prompt structure extracted by ESET:

System: You are an Android automation assistant. The user will give
you the UI XML data of the current screen. Analyze the XML and output
operation instructions in JSON format to achieve the user's goal.

Core Rules:
- Do NOT guess that the task is completed
- Only return COMPLETED when you see visual evidence of success
- If unsure, remain IN_PROGRESS and attempt to verify
- If current UI XML is empty, use RECENTS to access the recent apps list

Output format:
{
  "status": "IN_PROGRESS" | "COMPLETED" | "IMPOSSIBLE",
  "reasoning": "What I saw on screen and why I'm taking this action",
  "action_type": "TAP" | "LONG_CLICK" | "SWIPE" | "NONE",
  "x": [coordinate],
  "y": [coordinate]
}

User Goal: Lock the current MorganArgs app in the recent apps list.
Device info: [DEVICE MODEL]
Current UI XML: [DYNAMIC SCREEN DATA]

And a typical Gemini response:

{
  "status": "IN_PROGRESS",
  "reasoning": "I have accessed the recent apps list. I can see
    MorganArgs listed. The next step is to long-click on the
    app card to bring up the options menu, which should include
    an option to lock it.",
  "action_type": "LONG_CLICK",
  "x": 586,
  "y": 1126
}

That's an LLM analyzing a live device UI, reasoning about what it sees, and issuing precise touch coordinates. Running inside malware. On your phone.

The Kill Chain: Full Attack Flow

PromptSpy doesn't arrive alone. It uses a dropper-payload architecture. The initial malware — the PromptSpy dropper — was distributed through a dedicated website at mgardownload[.]com (offline at the time of ESET's analysis). Here's the full infection chain:

Stage 1 — Dropper installation. The victim downloads and installs the dropper from the malicious distribution site. When launched, it opens a fake banking website hosted at m-mgarg[.]com. Google's cached version of this domain revealed it was impersonating Chase Bank (JPMorgan Chase). The dropper then prompts the victim to install an "update" — which is actually the PromptSpy payload embedded in the dropper's asset directory as app-release.apk.

Stage 2 — Payload deployment. The victim manually installs the PromptSpy payload, which masquerades as an app called MorganArg (likely short for "Morgan Argentina") with an icon resembling Chase Bank's branding. On launch, it immediately requests Accessibility Service permissions.

Stage 3 — Decoy screen and AI persistence. Once Accessibility permissions are granted, PromptSpy displays a simple "Loading, please wait" decoy screen. While the victim stares at this, the malware is running the Gemini-powered persistence loop in the background — opening the Recent Apps view, dumping the UI, querying the AI, and executing whatever taps or swipes Gemini recommends until the app is locked.

Stage 4 — VNC activation. With persistence established, PromptSpy activates its VNC module and connects to its hardcoded command-and-control server at 54.67.2[.]84 using AES-encrypted VNC protocol traffic. The AES key is hardcoded in the binary, meaning anyone who reverse-engineers the app can decrypt the C&C traffic. The attackers now have full remote access.

It's worth noting that the AI-driven recent apps lock isn't PromptSpy's only persistence mechanism. The malware also registers a BOOT_COMPLETED broadcast receiver, which means it automatically reactivates at device startup. The AI handles keeping the app pinned in the recent apps list (preventing cleanup by the user or system), while the boot receiver ensures the malware's service restarts after a reboot. Together, these two mechanisms make PromptSpy difficult to shake without a Safe Mode intervention.

Spyware Capabilities: What PromptSpy Actually Steals

The AI persistence trick gets the headlines, but PromptSpy's core functionality is straightforward, aggressive spyware. Once the VNC channel is established and Accessibility permissions are in place, the malware operators can do the following through their C&C connection:

1. Full remote device control: View the victim's screen in real time and perform taps, swipes, gestures, and text input as if physically holding the phone.
2. Lockscreen credential theft: Intercept the victim's PIN or password as it's entered on the lockscreen.
3. Pattern unlock recording: Record the screen as video specifically to capture the device's unlock pattern.
4. App inventory exfiltration: Upload the full list of installed applications to the C&C server.
5. On-demand screenshots: Take screenshots whenever the server requests them.
6. Targeted screen recording: Record screen activity and user gestures for specific apps designated by the server — likely banking or financial applications.
7. Device state monitoring: Report whether the screen is on or off and which app is currently in the foreground.

The Gemini API key itself is received from the C&C server, not hardcoded in the app. This means the attackers can rotate keys if one gets revoked without needing to push a malware update.

Anti-Removal: Invisible Walls Around the Uninstall Button

PromptSpy doesn't just persist — it actively fights to stay installed. The anti-removal mechanism is nasty in its simplicity. When a victim tries to uninstall the app or disable Accessibility Services, the malware detects the attempt and overlays transparent, invisible rectangles over specific UI buttons. These invisible overlays sit on top of any button whose text contains substrings like "stop," "end," "clear," or "Uninstall."

The victim taps what they think is the Uninstall button. They're actually tapping an invisible overlay that does nothing, or redirects the interaction. The real button never receives the touch event. The victim thinks the button is broken. The malware stays put.

The only way to remove PromptSpy is to reboot the device into Safe Mode, where all third-party apps are disabled and can't interfere with the uninstall process. In Safe Mode, the malware can't run its Accessibility Service overlay trick, so you can actually reach the real Uninstall button. This isn't something the average user is going to figure out on their own, which is exactly the point.

Attribution and Targeting

ESET's analysis points to Chinese-speaking developers. The malware contains debug strings written in simplified Chinese and includes handling code for Chinese Accessibility event types — a debug method that was disabled but not removed from the codebase. This leftover code was designed to provide localized Chinese explanations for accessibility events, making the logs readable for Chinese-speaking developers. ESET assesses with medium confidence that PromptSpy was built in a Chinese-speaking development environment.

The targeting, however, appears to be Argentina. The distribution domain, the Spanish-language phishing pages, the MorganArg app name, and the VirusTotal upload origin all point to a campaign focused on Argentine banking customers. This pattern — Chinese-developed malware targeting Latin American financial institutions — isn't new, but the AI component certainly is.

The Bigger Picture: AI-Assisted Malware Is Here

Let's put this in context. PromptSpy isn't the first time ESET has found AI-powered malware. In August 2025, they discovered PromptLock — which they described as the first known case of AI-driven ransomware. It's worth noting that PromptLock was later revealed to be a proof-of-concept created by a team of researchers at NYU's Tandon School of Engineering, not operational malware deployed in the wild. ESET acknowledged the finding after the researchers came forward but maintained that the samples still represented a first for AI-powered ransomware. On February 12, 2026, Google Threat Intelligence published an updated AI Threat Tracker report confirming that state-sponsored hackers from China, Iran, North Korea, and Russia are using Gemini across nearly every stage of the attack lifecycle — from reconnaissance and phishing lure creation to C2 development, malware coding, and data exfiltration. And researchers at Dr.WEB recently found Android.Phantom, which uses TensorFlow ML models to analyze screenshots for automated ad fraud.

But PromptSpy crosses a line. Previous uses of ML in malware were narrow — image classification for ad fraud, pre-trained models for specific tasks. PromptSpy uses a general-purpose generative AI model to reason about an arbitrary screen state and produce novel interaction sequences on the fly. It doesn't need to be retrained. It doesn't need device-specific adaptations. It just asks the AI what to do and follows the instructions.

"Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims." — Lukáš Štefanko, ESET

Right now, Gemini is only being used for persistence — one feature in a larger spyware package. But the underlying concept is portable to anything that involves navigating a UI: stealing credentials from banking apps, navigating security settings to disable protections, granting itself additional permissions, interacting with two-factor authentication prompts, or exfiltrating data from messaging apps. If the malware can see the screen and control touch events, a sufficiently capable LLM can tell it what to do in any context. The fragmentation problem that has historically limited Android malware becomes irrelevant when an AI handles the navigation.

Google responded to the disclosure by noting that no apps containing this malware are found on Google Play, and that Play Protect automatically blocks known versions. But that response addresses the current samples, not the technique. The technique is the threat. And the technique works with any LLM API — Gemini today, something else tomorrow.

How to Protect Yourself

PromptSpy was never distributed through Google Play, which means it targets users who install apps from external sources. Here's what actually protects you:

1. Don't sideload apps. Full stop. If it's not on Google Play or a trusted enterprise deployment, it doesn't belong on your device. No legitimate bank is going to ask you to download an APK from a random domain.
2. Keep Google Play Protect enabled. It's on by default. Don't disable it. Google has confirmed it detects known PromptSpy variants.
3. Treat Accessibility Service requests as a red flag. Legitimate apps rarely need Accessibility permissions. If an app you just installed immediately asks for Accessibility access, that's the single biggest warning sign of a malicious application. Deny it.
4. Know how Safe Mode works. If you suspect your device is compromised and can't uninstall an app, reboot into Safe Mode. On many devices, this involves holding the power button, then long-pressing the "Power off" option — but the exact method varies significantly between manufacturers and models (Samsung, Xiaomi, and OnePlus all have slightly different procedures, so check your device's documentation). Third-party apps are disabled in Safe Mode, allowing you to uninstall malware that is otherwise blocking removal.
5. Verify banking apps independently. If you receive any link or prompt to download a banking app, go directly to your bank's official website or the Google Play Store. Never trust a link from a text, email, or third-party website.

Key Takeaways

1. Generative AI is now embedded in active malware. PromptSpy is the first confirmed Android malware using a generative AI model at runtime. It's not a concept — it's real samples on VirusTotal with a distribution infrastructure behind them.
2. The Android fragmentation problem just became an attacker advantage. By outsourcing UI navigation to an LLM, malware no longer needs device-specific scripts. One prompt works across every Android manufacturer, skin, and OS version.
3. AI abuse goes beyond content generation. The conversation around AI-powered attacks has focused on phishing emails and deepfakes. PromptSpy shows that LLMs can be used for real-time operational decision-making inside malware — a fundamentally different and more dangerous application.
4. Accessibility Services remain the Achilles' heel. Almost everything PromptSpy does — the AI-guided interactions, the VNC control, the invisible anti-removal overlays — depends on Accessibility Service permissions. Denying this permission kills the entire attack chain.
5. This is just the beginning. PromptSpy uses AI for a single feature: persistence. But the feedback loop it demonstrates — screen dump, AI reasoning, action execution, verification — can be applied to any on-device task. Future variants will almost certainly expand the AI's role.

PromptSpy is a proof that the threat landscape has crossed a threshold. Malware that can reason about its environment, adapt to unknown interfaces, and make autonomous decisions is no longer speculative — it's shipping. The AI model and the prompt are hardcoded and can't be changed in this version, which limits flexibility. But those are engineering constraints that get solved in the next iteration. The architectural pattern — AI agent as malware co-pilot — is established. And it's going to get worse from here.

Sources: ESET Research / WeLiveSecurity, BleepingComputer, The Hacker News, SecurityWeek