Executive Summary

Publication Date: February 19, 2026

The emergence of PromptSpy marks a pivotal moment in the evolution of Android malware, as it is the first known threat to leverage generative AI—specifically Google’s Gemini model—to automate persistence and evade removal. Discovered by ESET researchers, PromptSpy demonstrates how attackers can harness advanced AI capabilities to adapt to diverse device environments, automate complex UI interactions, and resist traditional detection and remediation techniques. This report provides a comprehensive analysis of PromptSpy’s technical mechanisms, security implications, and the broader impact on the cybersecurity landscape.

Introduction

The integration of generative AI into malware represents a significant escalation in the sophistication of mobile threats. PromptSpy utilizes Gemini AI to dynamically analyze device screens and automate UI navigation, enabling it to remain persistently active in the recent apps list and resist user attempts at removal. This innovation not only increases the resilience of the malware but also signals a new era in which AI-driven automation can be weaponized by threat actors to bypass conventional security controls.

Technical Analysis of PromptSpy

PromptSpy is engineered with a hardcoded Gemini AI model and prompt, designating the AI as an “Android automation assistant.” The malware transmits a natural language prompt and an XML dump of the current screen—including every UI element’s text, type, and position—to Gemini. In response, Gemini returns JSON-formatted instructions, such as tap or swipe actions, which the malware executes to ensure it remains pinned in the recent apps list. This process continues iteratively until persistence is achieved.

Beyond its AI-driven automation, PromptSpy incorporates a built-in VNC module for remote access, abuses Android’s accessibility services to block uninstallation, captures lockscreen data, takes screenshots, and records screen activity as video. Communication with its command-and-control server is conducted via the VNC protocol, secured with AES encryption. The malware’s infrastructure is anchored by a hardcoded C2 server and is distributed through phishing websites masquerading as legitimate banking applications.

Key Innovations and Differentiators

The defining innovation of PromptSpy lies in its use of generative AI for real-time UI navigation. Traditional Android malware typically relies on hardcoded taps or selectors, which are fragile and easily disrupted by changes in device layouts or operating system versions. By leveraging Gemini, PromptSpy can adapt to virtually any device or UI configuration, significantly expanding its potential victim pool and making its persistence techniques robust against UI changes. This adaptability represents a major leap forward in the operational capabilities of mobile malware.

Security Implications and Potential Risks

The AI-driven adaptability of PromptSpy introduces new challenges for defenders. Its ability to automate UI interactions across a wide range of devices and OS versions complicates detection and removal efforts. The malware’s exploitation of accessibility services to overlay invisible elements on the screen prevents standard uninstallation procedures, forcing users to reboot into Safe Mode to remove the threat. This level of persistence, combined with remote access and data exfiltration capabilities, elevates the risk profile for both individuals and organizations.

Supply Chain and Third-Party Dependencies

PromptSpy is distributed exclusively through dedicated phishing websites, never appearing on Google Play. It masquerades as legitimate applications, such as MorganArg (imitating JPMorgan Chase Argentina), and employs a dropper, a fake banking site, and a C2 server hosted on Amazon infrastructure. The campaign is financially motivated, targeting users in Argentina, and shows signs of development in a Chinese-speaking environment. While there is no evidence of compromise of legitimate supply chain vendors, the use of fake apps and phishing underscores the importance of robust third-party risk management.

Security Controls and Compliance Requirements

Protection against known versions of PromptSpy is provided by Google Play Protect, which is enabled by default on devices with Google Play Services. However, since the malware is distributed outside official channels, organizations must enforce policies that restrict app installations from unknown sources and monitor for abuse of accessibility services. Continuous user education and vigilant monitoring are essential to mitigate the risk posed by such advanced threats.

Industry Adoption and Integration Challenges

While PromptSpy is not yet widespread and may represent a proof of concept, its discovery signals the beginning of a new era of AI-powered malware. The use of generative AI for real-time UI manipulation is likely to be adopted by other threat actors, increasing the sophistication and adaptability of future malware campaigns. Organizations must prepare for the integration challenges posed by AI-driven threats and adapt their security strategies accordingly.

Vendor Security Practices and Track Record

The infrastructure supporting PromptSpy leverages cloud hosting services, such as Amazon, and is distributed via domains registered specifically for the campaign. Although there is no indication of compromise of legitimate vendors, the campaign’s reliance on fake banking apps and phishing sites highlights the necessity for comprehensive vendor and third-party risk management practices.

Technical Specifications and Requirements

PromptSpy requires installation from unknown sources, necessitating user intervention to enable this setting. It abuses Android Accessibility Services for UI automation and anti-removal measures, communicates with its C2 server via the VNC protocol with AES encryption, and contains a hardcoded Gemini API key and prompt. Distribution occurs through APK files hosted on phishing websites, further emphasizing the importance of restricting installations from untrusted sources.

Cyber Perspective

From a cybersecurity standpoint, PromptSpy represents a paradigm shift in mobile malware development. By integrating generative AI, attackers can automate complex, context-aware interactions, making malware more resilient to UI changes and significantly harder to detect or remove. This approach is likely to be emulated by other malware families, increasing the risk to both organizations and individuals. Defenders must evolve their strategies by monitoring for unusual accessibility service usage, restricting app installations, and enhancing behavioral detection capabilities. The use of AI in malware also raises concerns about the rapid evolution of threats and the increased targeting of supply chain and third-party dependencies, particularly as attackers exploit cloud infrastructure and phishing techniques to distribute malicious payloads.

About Rescana

Rescana provides advanced Third-Party Risk Management (TPRM) solutions designed to help organizations identify, assess, and mitigate risks associated with third-party vendors and supply chain dependencies. Through continuous monitoring, automated risk assessments, and robust compliance checks, Rescana empowers organizations to stay ahead of emerging threats and ensure that their vendors and partners maintain the highest security standards. In an era of rapidly evolving cyber risks, Rescana is committed to helping you build a resilient and secure ecosystem.

For further information or to discuss how we can support your organization, please contact us at ops@rescana.com.