MALWARE & THREATS PromptSpy Android Malware Abuses Gemini AI at Runtime for Persistence The malware leverages Gemini to analyze on-screen elements and ensure that it remains on the device even after a reboot. By Eduard Kovacs | February 20, 2026 (2:06 AM ET) Flipboard Reddit Whatsapp Email Researchers at ESET have analyzed what they describe as the first Android malware to leverage generative AI during its execution. Named PromptSpy, the malware deploys a VNC module on compromised systems, enabling its operators to view the victim’s screen and take full control of the Android device. In addition, PromptSpy can collect device information, capture the lockscreen PIN or password, record the screen to obtain the device’s unlock pattern, and take screenshots. For persistence, the Android malware uses a novel approach at runtime that involves sending a prompt to Google’s Gemini gen-AI chatbot along with an XML file containing data about the various UI elements displayed on the screen, including their type, text, and position. Gemini uses this information to tell PromptSpy — via JSON instructions — where to tap or swipe on the screen in order to add the malware to the list of recent apps. The malware can interact with the device and perform the gestures recommended by the AI chatbot by abusing Android’s Accessibility Services. “The malware saves both its previous prompts and Gemini’s responses, allowing Gemini to understand context and to coordinate multistep interactions,” ESET researchers explained. ADVERTISEMENT. SCROLL TO CONTINUE READING. By locking itself in the recent apps list, the malware ensures persistence across device reboots. PromptSpy also abuses Accessibility Services to prevent removal. ESET researchers explained, “When the user attempts to uninstall the payload or disable Accessibility Services, the malware overlays transparent rectangles on specific screen areas – particularly over buttons containing substrings like stop, end, clear, and Uninstall. These overlays are invisible to the user but intercept interactions, making removal difficult.” “Because PromptSpy blocks uninstallation by overlaying invisible elements on the screen, the only way for a victim to remove it is to reboot the device into Safe Mode, where third‑party apps are disabled and can be uninstalled normally,” the researchers added. ESET noted that it has not seen infections in the wild and PromptSpy may be a proof of concept, similar to the PromptLock ransomware detailed by the company last year. However, the security firm has seen a domain that appears to be designed to deliver the malware to users in Argentina. Evidence indicates that PromptSpy has been created by Chinese developers. ESET made this attribution with medium confidence and the company has not linked the Android malware to any threat actor. Related: New Keenadu Android Malware Found on Thousands of Devices Related: Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App Security Related: New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is the managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Vulnerabilities in Popular PDF Platforms Allowed Account Takeover, Data Exfiltration CISA: Hackers Exploiting Vulnerability in Product of Taiwan Security Firm TeamT5 Palo Alto Networks to Acquire Koi in Reported $400 Million Transaction Dell RecoverPoint Zero-Day Exploited by Chinese Cyberespionage Group Hackers Offer to Sell Millions of Eurail User Records Man Linked to Phobos Ransomware Arrested in Poland 3 Threat Groups Started Targeting ICS/OT in 2025: Dragos Password Managers Vulnerable to Vault Compromise Under Malicious Server Latest News French Government Says 1.2 Million Bank Accounts Exposed in Breach Nearly 1 Million User Records Compromised in Figure Data Breach Venice Security Emerges From Stealth With $33M Funding for Privileged Access Management Ivanti Exploitation Surges as Zero-Day Attacks Traced Back to July 2025 OpenClaw Security Issues Continue as SecureClaw Open Source Tool Debuts German Rail Giant Deutsche Bahn Hit by Large-Scale DDoS Attack New Keenadu Android Malware Found on Thousands of Devices Cogent Security Raises $42 Million for AI-Driven Vulnerability Management TRENDING Dell RecoverPoint Zero-Day Exploited by Chinese Cyberespionage Group Vulnerabilities in Popular PDF Platforms Allowed Account Takeover, Data Exfiltration Password Managers Vulnerable to Vault Compromise Under Malicious Server New Keenadu Android Malware Found on Thousands of Devices German Rail Giant Deutsche Bahn Hit by Large-Scale DDoS Attack Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’ 3 Threat Groups Started Targeting ICS/OT in 2025: Dragos Ivanti Exploitation Surges as Zero-Day Attacks Traced Back to July 2025 Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit PEOPLE ON THE MOVE Cyera has appointed Brandon Sweeney as President, Shira Azran as Chief Legal Officer and Joseph Iantosca as Chief Financial Officer. Robert Carvajal has been appointed as CISO of BayCare Health System. KnowBe4 announced the appointment of Kelly Morgan as Chief Customer Officer. More People On The Move EXPERT INSIGHTS How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) The Upside Down is Real: What Stranger Things Teaches Us About Modern Cybersecurity To all those who are fighting the good fight in the world of cyber, keep collaborating to ensure our world never succumbs to the chaos of the Upside Down. (Nadir Izrael) Flipboard Reddit Whatsapp Email