Cybersecurity researchers say they have identified the first known Android malware to integrate Google’s Gemini artificial intelligence system directly into its operations, using the generative model to help it evade detection and maintain control over infected devices.
A Malware Strain With an AI Core
Cybersecurity researchers at the Slovak firm ESET say they have discovered what appears to be the first Android malware that embeds Google’s generative artificial intelligence chatbot, Gemini, into its execution flow to strengthen its persistence on infected devices.
The malware, which ESET has code-named PromptSpy, is designed to capture lock screen data, block uninstallation attempts, gather device information, take screenshots and record screen activity as video. Its principal objective, according to the researchers, is to deploy a built-in virtual network computing, or VNC, module that grants attackers remote access to a victim’s phone.
What distinguishes PromptSpy, ESET said in a report published Friday, is the way it relies on Gemini to interpret and respond to the visual environment of an Android device in real time.
“Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system,” Lukáš Štefanko, an ESET researcher, said in the report.
Since Android malware often depends on navigating user interfaces, researchers noted, the integration of generative AI enables attackers to adapt the malicious code to different devices, layouts or operating system versions.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Turning Screenshots Into Instructions
According to ESET’s analysis, PromptSpy hard-codes both the AI model and a specific prompt into the malware itself. The prompt assigns the AI agent the persona of an “Android automation assistant.” The malware then sends Gemini a natural-language request along with an XML dump of the current screen. That XML file provides detailed information about every visible user interface element, including its text, type and exact position on the display.
Gemini processes the data and returns structured JSON instructions directing the malware on what action to perform — such as tapping a specific element — and where to execute it. The interaction can unfold in multiple steps until the application is successfully locked into the device’s recent apps list and cannot be terminated through ordinary gestures.
ESET said the actions suggested by Gemini are carried out through Android’s accessibility services, which allow applications to interact with the device without direct user input. Through this mechanism, PromptSpy can perform screen-based actions dynamically, rather than relying on fixed, hard-coded tap coordinates.
The malware also communicates with a hard-coded command-and-control server — identified in the report as “54.67.2[.]84” — using the VNC protocol. That communication channel enables the attackers to receive a Gemini API key, take screenshots on demand, intercept lock screen PINs or passwords, record screen activity and capture the pattern unlock interface as video.
Distribution and Attribution Clues
ESET researchers said PromptSpy is distributed through a dedicated website and has never been available on the Google Play store. The site “mgardownoad[.]com” is used to deliver a dropper application. Once installed and launched, the dropper opens a web page hosted on “m-mgarg[.]com.” The page masquerades as JPMorgan Chase, using the name “MorganArg,” an apparent reference to Morgan Argentina.
The dropper instructs victims to grant permission to install applications from unknown sources. In the background, the Trojan contacts its server to request a configuration file that includes a link to download another Android application package, presented to the victim in Spanish as an update. By the time researchers examined the infrastructure, the configuration server was no longer accessible, leaving the exact download URL unknown.
An analysis of language localization clues and distribution patterns suggests the campaign is financially motivated and targets users in Argentina. ESET said evidence also indicates the malware was developed in a Chinese-speaking environment, citing the presence of debug strings written in simplified Chinese.
PromptSpy appears to be an advanced iteration of a previously undocumented Android malware strain called VNCSpy. Samples of VNCSpy were first uploaded to the VirusTotal platform last month from Hong Kong, according to the report.
An Evolving Playbook
The findings illustrate how threat actors are beginning to incorporate generative AI tools into their operations in ways that automate tasks traditionally handled through static programming.
Instead of relying on hard-coded taps or device-specific logic, PromptSpy provides the AI model with a live snapshot of the screen and receives tailored, step-by-step interaction instructions in return. That approach allows the malware to adjust to virtually any device, screen size or user interface layout it encounters.
Because PromptSpy overlays invisible elements on the display to prevent its removal, the only reliable method for victims to eliminate the malware, researchers said, is to reboot the device into Safe Mode, where third-party applications are disabled and can be uninstalled.
“PromptSpy shows that Android malware is beginning to evolve in a sinister way,” Mr. Štefanko said in the report. “By relying on generative AI to interpret on-screen elements and decide how to interact with them, the malware can adapt to virtually any device, screen size, or UI layout it encounters.”
The integration of Gemini into the malware’s core operations marks a shift in technique: a move from rigid automation toward systems that can interpret and respond to a device’s visual environment in real time.
