PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence

• PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence Cybersecurity researchers have discovered what they say is the first Android malware that abuses Gemini, Google’s generative artificial intelligence (AI) chatbot, as part of its execution flow and achieves persistence. • The malware has been codenamedPromptSpyby ESET. • The malware is equipped to capture lockscreen data, block uninstallation efforts, gather device information, take screenshots, and record screen activity as video. • “Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system,” ESET researcher Lukáš Štefankosaidin a report published today. • “Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims.” Specifically, this involves hard-coding the AI model and a prompt in the malware, assigning the AI agent the persona of an “Android automation assistant.” It sends Gemini a natural language prompt along with an XML dump of the current screen that gives detailed information about every UI element, including its text, type, and exact position on the display. • Gemini then processes this information and responds with JSON instructions that tell the malware what action to perform (e.g., a tap) and where to perform it.

Article Summaries:

• Cybersecurity firm ESET has identified PromptSpy, the first Android malware to exploit Google’s Gemini AI chatbot for persistence. PromptSpy captures lock‑screen data, blocks uninstallation, and records screen activity while using Gemini to analyze the device’s UI and issue step‑by‑step JSON commands that keep the malicious app pinned in the recent‑apps list. The malware leverages Android accessibility services, a built‑in VNC module, and a hard‑coded C2 server (54.67.2.84) to receive the Gemini API key and remote‑control the device. Distributed via a dedicated website, the campaign appears financially motivated, targeting users in Argentina and developed in a Chinese‑speaking environment.
• ESET researchers have identified PromptSpy, the first Android malware that uses generative AI during execution. The payload installs a VNC module, enabling remote control, and harvests device data, lock‑screen PINs, unlock patterns, and screenshots. For persistence, PromptSpy sends an XML file describing on‑screen UI elements to Google’s Gemini chatbot, which returns JSON instructions telling the malware where to tap or swipe to add itself to the recent‑apps list. The malware also abuses Accessibility Services to block uninstallation by overlaying invisible rectangles over “Uninstall” and similar buttons. Removal is only possible in Safe Mode. No wild infections have been reported, but a domain targeting Argentine users suggests a proof‑of‑concept release, likely by Chinese developers.

Sources:

• https://thehackernews.com/2026/02/promptspy-android-malware-abuses-google.html
• https://www.securityweek.com/promptspy-android-malware-abuses-gemini-ai-at-runtime-for-persistence/