PromptSpy: The Android Malware That Hired Google's AI as Its Personal Assistant

We've been warning for years that AI would eventually land in the hands of malware developers. Congratulations, the future has officially arrived. Security researchers at ESET have discovered an Android malware strain that uses Google's own Gemini AI chatbot to figure out how to stay alive on your device. They've dubbed it PromptSpy, and it represents a genuinely unsettling evolution in mobile threats.

The concept is deceptively elegant. Traditional Android malware relies on hardcoded instructions to navigate device interfaces, tap specific buttons, and manipulate system settings. The problem with that approach is Android fragmentation. With thousands of device manufacturers shipping their own skins, layouts, and quirks on top of various Android versions, hardcoding UI interactions is like trying to write driving directions for every road in America. You're going to miss a few turns.

PromptSpy's developers found a shortcut. Instead of mapping every possible UI configuration, they simply ask Gemini to figure it out for them. The malware captures an XML dump of whatever screen is currently displayed, packages it up with a natural language prompt, and sends it off to Google's AI. Gemini analyzes the screen elements, determines where to tap, and responds with JSON instructions that tell the malware exactly what to do. The malware then executes those instructions through Android's accessibility services, no human input required.

According to ESET researcher Lukáš Štefanko, the AI is assigned the persona of an "Android automation assistant" through the malware's hardcoded prompt. The multi-step interaction continues as a conversation, with Gemini receiving updated screen snapshots and responding with fresh instructions until the malware achieves its goal. In this case, that goal is ensuring the malicious app remains pinned in the recent apps list, preventing users from swiping it away or letting the system kill it. It's persistence through conversation.

The implications here extend far beyond this single malware sample. By offloading UI navigation to a generative AI, threat actors have essentially solved the Android fragmentation problem overnight. It doesn't matter if you're running a Samsung with One UI, a Pixel with stock Android, or some budget phone running an ancient custom ROM. If Gemini can see the screen and understand the elements, it can tell the malware how to navigate it. One malware, infinite devices.

Once PromptSpy has entrenched itself on a victim's device, it deploys a built-in VNC module that grants attackers remote access. This isn't your garden-variety info-stealer. The operators can take screenshots on demand, record screen activity as video, intercept lockscreen PINs and passwords, and even capture pattern unlock screens. All the data flows back to a hardcoded command-and-control server via VNC protocol. The attackers aren't just stealing your data; they're watching everything you do in real time.

The malware also abuses accessibility services to make itself nearly impossible to remove. When a user tries to uninstall it, PromptSpy throws up invisible overlays that block the uninstallation interface. You can tap the screen all day and nothing happens because you're actually tapping an invisible barrier the malware placed there. The only reliable way to remove it is to reboot the device into Safe Mode, where third-party apps are disabled and the malware's defenses go offline.

ESET's analysis suggests the campaign is financially motivated and primarily targets users in Argentina. The distribution mechanism is a dedicated website rather than Google Play, which means victims are being lured through phishing or malicious ads rather than stumbling across the app in an official store. The dropper masquerades as a JPMorgan Chase-related app called "MorganArg," a reference to Morgan Argentina. When installed, it prompts users to enable installation from unknown sources and then deploys the full PromptSpy payload as an "update."

Interestingly, the malware's debug strings are written in simplified Chinese, suggesting the developers operate from a Chinese-speaking environment. However, the targeting of Argentine users and the Spanish-language social engineering elements indicate a financially motivated operation rather than state-sponsored activity. PromptSpy appears to be an evolution of an earlier malware called VNCSpy, samples of which first appeared on VirusTotal last month from Hong Kong.

The technical creativity here is genuinely impressive, which makes it all the more dangerous. Traditional security tools look for known behaviors, signatures, and patterns. But when a malware can dynamically figure out how to navigate any interface it encounters by simply asking an AI, those static defenses start looking pretty inadequate. You can't write a rule for "whatever Gemini decides to do."

This also raises uncomfortable questions about Google's responsibility. The Gemini API key used by PromptSpy is retrieved from the command-and-control server, meaning the attackers are using Google's own infrastructure to power their malware. While Google didn't design Gemini to be a malware assistant, the API doesn't exactly ask why you want step-by-step instructions for keeping an app pinned in memory. There's no "are you a malware author" checkbox.

For Android users, the defensive advice remains frustratingly familiar. Don't install apps from random websites. Don't grant accessibility permissions to apps that don't obviously need them. Keep Google Play Protect enabled. And if you're in Argentina receiving emails about your JPMorgan account, maybe don't click that link. The same boring hygiene rules we've been preaching for a decade still apply. They're just more important now that the adversaries have AI help.

For security teams and defenders, PromptSpy represents a signal that AI-augmented malware has moved from theoretical concern to production reality. The malware analyzed by ESET is likely an early, relatively unsophisticated example of what's coming. Future variants will be harder to detect, more adaptive, and capable of achieving objectives that current defensive tools aren't designed to anticipate. The window between "interesting research paper" and "we're seeing this in the wild" has collapsed to basically nothing.

We've entered an era where malware can think, adapt, and solve problems in real time. PromptSpy hired Google's AI as its personal assistant, and it works surprisingly well. The question now isn't whether we'll see more AI-powered threats, but how quickly they'll evolve and whether our defenses can keep pace. Based on what ESET found this week, the attackers have a head start.