PromptSpy – First Known Android AI Malware Uses Google’s Gemini for Decision-making

The first known Android malware family to weaponize a generative AI model, specifically Google’s Gemini, as part of its active execution flow. Discovered in February 2026, the malware represents a significant evolutionary step in mobile threats and follows ESET’s earlier identification of PromptLock, the first AI-powered ransomware, in August 2025.

PromptSpy, uncovered by ESET researcher Lukas Stefanko, traces its origins back to an earlier variant internally dubbed VNCSpy, with three samples appearing on VirusTotal on January 13, 2026, uploaded from Hong Kong.

By February 10, 2026, four more advanced samples incorporating the Gemini AI component were uploaded from Argentina, prompting ESET to designate the full family PromptSpy.

The malware is distributed under the disguise of a Chase Bank-themed Android app called MorganArg a likely abbreviation for “Morgan Argentina” via the now-offline distribution domain mgardownload[.]com, impersonating a login portal for JPMorgan Chase Bank N.A.

Although no infections have been detected in ESET’s telemetry, the existence of this dedicated distribution infrastructure suggests real-world deployment intent.

Debug strings and code written in simplified Chinese, along with localized Chinese Accessibility event-type handlers, indicate with medium confidence that PromptSpy was developed in a Chinese-speaking environment.

Traditional Android malware relies on hardcoded screen coordinates or fixed UI selectors to automate gesture methods that routinely fail across different device manufacturers, screen sizes, or Android OS versions.

PromptSpy sidesteps this limitation entirely by sending Gemini a natural-language prompt alongside an XML dump of the device’s live UI, exposing each element’s text, type, and precise screen bounds.

Gemini processes this information and returns JSON-formatted tap and swipe instructions, enabling PromptSpy to execute the device-specific “lock app in recent apps” gesture, pinning the malicious MorganArg app in the multitasking view with a padlock icon so it cannot be swiped away or killed by the system.

This interaction operates as a continuous feedback loop: PromptSpy submits updated UI context after each action, Gemini returns the next step, and the cycle terminates only when the AI confirms the app has been successfully locked.

The AI model and its hardcoded prompts are static and cannot be modified at runtime, yet the dynamic decision-making they enable allows PromptSpy to adapt to virtually any Android device or OS version, dramatically widening the potential victim pool compared to script-based predecessors.

VNC Module, Capabilities, and Removal

Beyond AI-assisted persistence, PromptSpy’s primary objective is to deploy a built-in VNC module, granting operators full remote control of the victim’s device. It communicates with its hardcoded C&C server over the VNC protocol using AES encryption.

Once Accessibility Services are enabled, the malware can intercept lockscreen PINs and pattern unlocks (captured as video recordings), take on-demand screenshots, log installed applications, record screen activity for attacker-specified apps, and report the current foreground application and screen state.

PromptSpy further abuses Accessibility Services as an anti-removal mechanism, overlaying invisible transparent rectangles over buttons containing substrings such as “stop,” “end,” “clear,” and “Uninstall,” silently intercepting the victim’s taps. The only effective removal method is rebooting into Safe Mode and navigating to Settings → Apps → MorganArg.

PromptSpy has never appeared on Google Play, and ESET shared its findings with Google through the App Defense Alliance; Google Play Protect automatically protects Android users against known versions of this malware.

Indicators of Compromise (IOCs)

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.