“PromptSpy” Android Malware Abuses Google Gemini AI to Evade Detection

Security researchers have identified what is being described as the first known Android malware to actively abuse a commercial generative AI system at runtime in order to maintain persistence and evade detection. The malware, dubbed PromptSpy, was analyzed by ESET and detailed publicly on February 20, 2026

Unlike traditional Android banking trojans or spyware strains that rely solely on hardcoded logic, PromptSpy integrates dynamic decision-making by interacting with Google’s Gemini AI. By leveraging a large language model during live execution, the malware is able to interpret user interface structures and adapt its behavior in real time.

How PromptSpy Operates

According to ESET’s technical analysis, PromptSpy combines several established Android abuse techniques with a novel AI-driven component. The malware incorporates a VNC module, enabling remote visual access to infected devices, and abuses Android Accessibility Services to monitor and interact with on-screen elements.

Accessibility Services, originally designed to assist users with disabilities, are frequently targeted by mobile malware because they provide broad visibility into screen content and allow simulated user input. PromptSpy uses these capabilities to capture screens, intercept unlock credentials and facilitate remote control.

However, the distinctive feature lies in how the malware interprets what it sees. Rather than relying on static pattern matching to identify buttons or settings menus, PromptSpy extracts the XML structure of active user interface elements and sends this structured data to Google’s Gemini model at runtime.

Abusing Gemini for Real-Time Decision Making

Once the XML representation of the interface is transmitted, the Gemini model analyzes the layout and returns structured JSON instructions. These instructions reportedly include recommended tap coordinates, swipe gestures and navigation actions tailored to the specific device screen and application state.

The malware then executes these instructions locally. This approach allows PromptSpy to dynamically locate system controls such as recent apps, settings menus and uninstall prompts even if their layout differs between devices or Android versions.

By outsourcing interface interpretation to a generative AI model, the malware effectively reduces the need for hardcoded device-specific logic. Security analysts note that this represents a shift toward adaptive malware that can respond to environmental variability with minimal developer updates.

Persistence and Uninstallation Resistance

PromptSpy leverages Gemini-generated instructions to maintain its presence in the device’s recent apps list and actively interfere with removal attempts. When users navigate toward the application settings page in an attempt to uninstall the malware, the malicious code can trigger automated gestures that redirect the user or close the settings window.

Researchers reported that removal in some cases required booting the device into Safe Mode. In standard operating conditions, the malware’s automated interactions can repeatedly block or interrupt uninstallation workflows.

This behavior highlights a troubling development. Rather than merely hiding, the malware actively defends itself by interpreting user actions and responding intelligently, guided by AI-assisted analysis of the interface.

Credential Theft and Remote Control Capabilities

Beyond persistence mechanisms, PromptSpy functions as a fully capable remote access trojan. The integrated VNC module allows operators to observe device screens in real time. Combined with captured unlock credentials and accessibility monitoring, attackers can gain comprehensive control over compromised smartphones.

This capability enables a range of malicious outcomes, including financial fraud, account takeover and surveillance. Because the malware interacts with applications through legitimate system services, traditional signature-based detection may struggle to differentiate malicious automation from accessibility usage.

Implications for Mobile Security

The emergence of PromptSpy signals a broader evolution in malware design. By integrating generative AI into operational workflows, threat actors can create more flexible and resilient code. Adaptive interface analysis reduces the effectiveness of static defensive assumptions and complicates behavioral detection models.

Security professionals warn that this development could extend beyond Android. As generative AI platforms become more accessible, attackers may increasingly incorporate real-time model queries to guide exploitation decisions across different operating systems.

Defenders are encouraged to monitor abnormal Accessibility Service usage, restrict sideloaded application permissions and enforce mobile device management policies that limit unauthorized remote control modules. Visibility into outbound connections to AI service endpoints may also become an important investigative signal.

The discovery by ESET underscores a pivotal moment in the intersection of artificial intelligence and cybercrime. Generative models are no longer merely targets of misuse through prompt injection or data poisoning. They are now being weaponized as operational components within active malware campaigns.