PromptSpy: First Android Malware Abusing Generative AI for UI Manipulation Discovered
ESET researchers have uncovered PromptSpy, the first Android malware to leverage generative AI (Google Gemini) for context-aware UI manipulation to achieve persistence and deploy a VNC module for remote device access.
ESET researchers have uncovered the first known Android malware that abuses generative AI for context-aware user interface manipulation. Dubbed PromptSpy, this malware uses Google's Gemini AI model to dynamically analyze on-screen elements and provide step-by-step instructions for keeping the malicious app pinned in the recent apps list, preventing removal. This marks a significant evolution in mobile malware, as it adapts to different devices and OS versions without hardcoded coordinates.
The malware's primary purpose is to deploy a built-in VNC module, giving operators remote access to the victim's device. It also abuses the Accessibility Service to block uninstallation with invisible overlays, capture lockscreen data, and record video. Communication with its command-and-control server occurs via the VNC protocol, using AES encryption for stealth.
PromptSpy was discovered in two versions. The first, named VNCSpy, appeared on VirusTotal on January 13, 2026, uploaded from Hong Kong. On February 10, 2026, four more advanced samples were uploaded from Argentina, incorporating the Gemini AI integration. The campaign appears financially motivated, primarily targeting users in Argentina, with distribution via a dedicated website rather than Google Play.
The AI-powered functionality is limited to achieving persistence, but it demonstrates how generative AI can make malware more adaptable. Traditional Android malware relies on hardcoded screen coordinates or UI selectors, which break across different devices and OS versions. PromptSpy sends Gemini a natural-language prompt along with an XML dump of the current screen, receiving JSON instructions for precise actions like taps. This feedback loop continues until the app is successfully locked in the recent apps list.
ESET notes that PromptSpy has not been observed in their telemetry yet, suggesting it may be a proof of concept. However, the discovery of a likely distribution domain indicates active targeting. As an App Defense Alliance partner, ESET shared findings with Google, and Google Play Protect automatically protects against known versions. This discovery follows ESET's earlier finding of PromptLock, the first AI-driven ransomware, in August 2025.
The emergence of PromptSpy highlights a growing trend of AI-powered malware that can dynamically adapt to its environment. While the current implementation is limited, it sets a precedent for future threats that may leverage generative AI for more complex malicious tasks, such as automated social engineering or adaptive evasion techniques.