SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Story 299483
#
Endpoint Protection
#
MDM
#
Phishing

Android PromptSpy malware harnesses Gemini for stealth

Fri, 20th Feb 2026
Author image
By Catherine Knowles, News Editor

ESET researchers have identified an Android malware family dubbed PromptSpy that uses generative AI to help it persist on infected devices.

The malware uses Google's Gemini model to interpret what appears on screen and return instructions for user interface gestures. It uses those instructions to keep the malicious app in the recent apps list, making it harder for a user to remove by swiping it away or relying on normal system behaviour.

The AI component is separate from PromptSpy's core remote-access functionality. The malware includes a built-in Virtual Network Computing (VNC) module that gives attackers remote visibility of the device screen and lets them perform actions on the handset. It can also capture lockscreen data, collect device information, take screenshots, and record the screen as video.

ESET described this as the first known Android malware sample observed using generative AI in this way, calling it a notable shift in how malware can cope with differences across Android devices.

"Since Android malware often relies on UI-based navigation, leveraging generative AI enables threat actors to adapt to more or less any device, layout, or operation system version, which can greatly increase the pool of potential victims," said Lukáš Štefanko, an ESET researcher.

How it works

Android users often interact with a recent apps screen that shows running applications. Many Android launchers also offer an option to pin an app in the recent apps list, sometimes represented by a padlock icon in the multitasking view. PromptSpy uses Gemini to identify interface elements and provide step-by-step instructions for the gesture sequence that keeps the app "locked" in that view.

The model and prompt are predefined in the malware code and cannot be changed, which limits an attacker's ability to adjust the prompt without rebuilding or updating the malware.

Generative AI appears limited to this persistence feature rather than PromptSpy's main remote-access function. Even so, it points to a way for attackers to automate interactions that have often relied on brittle scripting and device-specific assumptions.

"Even though PromptSpy uses Gemini in just one of its features, it still demonstrates how implementing these tools can make malware more dynamic, giving threat actors ways to automate actions that would normally be more difficult with traditional scripting," Štefanko said.

Distribution and targeting

PromptSpy has been distributed through a dedicated website and has not been available on Google Play. ESET shared its findings with Google through the App Defence Alliance channel.

Google Play Protect blocks known versions of the malware on Android devices that ship with Google Play Services, according to ESET. Play Protect is enabled by default on those devices.

ESET's analysis points to a financially motivated campaign primarily focused on users in Argentina, based on language localisation clues and observed distribution vectors. It also noted that PromptSpy has not appeared in its telemetry, raising the possibility that the operation remains limited or that it is a proof of concept.

The malware appears to impersonate a banking brand. The app is named MorganArg, and its icon appears inspired by Morgan Chase. MorganArg also shows up as the name of a cached website, supporting the suggestion of regional targeting around Argentina.

Blocking removal

PromptSpy uses Android Accessibility Services and screen overlays to resist removal. It can block uninstallation by placing invisible elements over parts of the screen, interfering with user taps and navigation during the uninstall process.

ESET's suggested workaround is to reboot into Safe Mode, which disables third-party apps and can allow users to uninstall the malicious application without the overlays running. The typical route involves holding the power button, long-pressing Power off, and confirming the Reboot to Safe Mode prompt, though steps vary by device and manufacturer. After restarting in Safe Mode, users can go to Settings, then Apps, select MorganArg, and uninstall it.

PromptSpy communicates with its command-and-control server using AES encryption, according to ESET. Its feature set includes screen capture and remote control, capabilities commonly associated with account takeovers and fraudulent transactions targeting mobile banking users.

ESET also linked the discovery to earlier work on AI-assisted threats, saying PromptSpy is the second AI-powered malware it has identified, following PromptLock, which it described as an earlier case of AI-driven ransomware.

"The main purpose of PromptSpy is to deploy a built-in VNC module, giving operators remote access to the victim's device. This Android malware also abuses Accessibility Services to block uninstallation with invisible overlays, captures lockscreen data, and records screen activity as video. It communicates with its Command & Control server via AES encryption," said Štefanko.
Related stories
Wiz expands AI security coverage across cloud & edge
Elastic ties security platform to Google's air-gapped cloud
VPN vulnerabilities don't have to become breaches
CrowdStrike launches AI security coalition with partners
OpenAI rolls out GPT-5.5 with coding & research gains

Top stories

Turning security into a story: How managed service providers use reporting to drive retention and revenue
Barracuda spots 7 million device code phishing attacks
Commvault extends Clumio support to Google Cloud Storage
Commvault brings cloud resilience tools to Google Cloud
Elastic adds Prometheus ingestion & PromQL in Kibana