ESET researchers uncovered the first known case of Android malware abusing generative AI for context-aware user interface manipulation. While machine learning has been used to similar ends already – just recently, researchers at Dr.WEB found Android.Phantom , which uses TensorFlow machine learning models to analyze advertisement screenshots and automatically click on detected elements for large scale ad fraud – this is the first time we have seen generative AI deployed in this manner. Because the attackers rely on prompting an AI model (in this instance, Google’s Gemini) to guide malicious UI manipulation, we have named this family PromptSpy. This is the second AI powered malware we have discovered – following PromptLock in August 2025, the first known case of AI-driven ransomware. While generative AI is deployed only in a relatively minor part of PromptSpy's code – that responsible for achieving persistence – it still has a significant impact on the malware's adaptability. Specifically, Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system. The AI model and prompt are predefined in the code and cannot be changed. Since Android malware often relies on UI navigation, leveraging generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly expand the pool of potential victims. The main purpose of PromptSpy is to deploy a built-in VNC module, giving operators remote access to the victim’s device. This Android malware also abuses the Accessibility Service to block uninstallation with invisible overlays, captures lockscreen data, records video. It communicates with its C&C server via the VNC protocol, using AES encryption. Based on language localization clues and the distribution vectors observed during analysis, this campaign appears to be financially motivated and seems to primarily target users in Argentina. Interestingly, analyzed PromptSpy samples suggest that it was developed in a Chinese‑speaking environment. PromptSpy is distributed by a dedicated website and has never been available on Google Play. As an App Defense Alliance partner, we nevertheless shared our findings with Google. Android users are automatically protected against known versions of this malware by Google Play Protect , which is enabled by default on Android devices with Google Play Services. Key points of this blogpost: PromptSpy is the first known Android malware to use generative AI in its execution flow, even though it’s only to achieve persistence. Google's Gemini is used to interpret on-screen elements on the compromised device and provide PromptSpy with dynamic instructions on how to execute a specific gesture to remain in the recent app list. The main (non-generative-AI-assisted) purpose of PromptSpy is to deploy a VNC module on the victim's device, allowing attackers to see the screen and perform actions remotely. PromptSpy has not been observed in our telemetry yet, making it a possible proof of concept; however, the discovery of a likely distribution domain suggests the existence of a variant targeting users in Argentina. PromptSpy can capture lockscreen data, block uninstallation, gather device info, take screenshots, record screen activity as video, and more. PromptSpy’s AI-powered functionality Even though PromptSpy uses Gemini in just one of its features, it still demonstrates how incorporating these AI tools can make malware more dynamic, giving threat actors ways to automate actions that would normally be more difficult with traditional scripting. As was briefly mentioned already, Android malware usually depends on hardcoded screen features such as taps, coordinates, or UI selectors – methods that can break with UI changes across devices, OS versions, or manufacturer skins. PromptSpy aims to achieve persistence by staying embedded in the list of recent apps by executing the “lock app in recent apps” gesture (the full process is described in the Analysis section), which varies between devices and manufacturers. This makes it difficult to automate with fixed scripts traditionally used by Android malware. PromptSpy therefore takes a completely different approach: it sends Gemini a natural‑language prompt along with an XML dump of the current screen, giving the AI a detailed view of every UI element: its text, type, and exact position on the display. Gemini processes this information and responds with JSON instructions that tell the malware what action to perform (for example, a tap) and where to perform it. The malware saves both its previous prompts and Gemini’s responses, allowing Gemini to understand context and to coordinate multistep interactions. Figure 1 shows a code snippet of PromptSpy’s initialization of communication with Gemini, including the first prompt used. By handing the decision-making over to Gemini, the malware can recognize the correct UI element and perform the appropriate gesture, keeping the malware alive even if the user tries to close it. Figure 1. Malware code snippet with hardcoded prompts PromptSpy continues prompting Gemini until the AI confirms that the app has been successfully locked, showing a feedback loop where the malware waits for validation before moving on. PromptSpy overview In February 2026, we uncovered two versions of a previously unknown Android malware family. The first version, which we named VNCSpy, appeared on VirusTotal on January 13 th , 2026 and was represented by three samples uploaded from Hong Kong. On February 10 th , 2026, four samples of more advanced malware based on VNCSpy were uploaded to VirusTotal from Argentina. Our analysis of the samples from Argentina revealed multistage malware with a malicious payload that misuses Google’s Gemini. Based on these findings, we named the first stage of this malware PromptSpy dropper, and its payload PromptSpy. It should be noted that we haven’t yet seen any samples of the PromptSpy dropper or its payload in our telemetry, which might indicate that both of them are just proofs of concept. However, based on the existence of a possible distribution domain described in the following paragraphs, we cannot discount the possibility of the PromptSpy dropper and PromptSpy existing in the wild. According to VirusTotal data, all four PromptSpy dropper samples were distributed through the website mgardownload[.]com ; it was already offline during our analysis. After installing and launching PromptSpy dropper, it opened a webpage hosted on m‑mgarg[.]com . Although this domain was also offline, Google’s cached version revealed that it likely impersonated a Chase Bank (legally, JPMorgan Chase Bank N.A.) site (see Figure 2). Figure 2. Google’s cached data for the fake website The malware uses similar branding, with the app name MorganArg and the icon inspired by Chase bank (see Figure 3). MorganArg , likely a shorthand for “Morgan Argentina”, also appears as the name of the cached website, suggesting a regional targeting focus. Figure 3. Dropper requests permission to install unknown apps to proceed with PromptSpy installation We used the m-mgarg[.]com domain to pivot in VirusTotal, leading us to yet another Android malware sample (Android/Phishing.Agent.M). VirusTotal showed the spoofed website in Spanish, with an Iniciar sesión (Login) button, indicating that the page was probably intended to mimic a website of a bank (see Figure 4). Figure 4. User interface of Android/Phishing.Agent.M displaying the same fake website as PromptSpy dropper (source: https://www.virustotal.com/gui/file/4ee3b09dd9a787ebbb02a637f8af192a7e91d4b7af1515d8e5c21e1233f0f1c7/ ) This trojan appears to function as a companion application developed by the same threat actor behind VNCSpy and PromptSpy. In the background, the trojan contacts its server to request a configuration file, which includes a link to download another APK, presented to the victim, in Spanish, as an update. During our research, the configuration server was no longer accessible, so the exact download URL remains unknown. However, given that it uses the same unique bank spoofing website, the same app name, icon, and, most importantly, is signed by the same unique developer certificate as the PromptSpy dropper – we strongly suspect this app may serve as the initial stage designed to lead victims toward installing PromptSpy. Both VNCSpy and PromptSpy include a VNC component, giving their operators full remote access to compromised devices once victims enable Accessibility Services (see Figure 5). This allows the malware operators to see everything happening on the device, and to perform taps, swipes, gestures, and text input as though they were physically holding the phone. Figure 5. PromptSpy requests the victim to allow Accessibility services On top of the malicious capabilities already contained in VNCSpy, PromptSpy adds AI‑assisted UI manipulation, helping it maintain persistence by keeping the malicious app pinned in the recent apps list (an example of how the lock is indicated in the list can be seen in Figure 6). Figure 6. Not locked (left) and locked (right) MorganArg app in the list of recent apps, with the padlock icon representing the lock We believe this functionality is used before the VNC session is established, so that the user or system will not kill the PromptSpy activity from the list of recent apps. In Figure 7, you can see PromptSpy network communication with Gemini AI. Figure 7. Network communication of malware and Gemini with prompt request and response shown in red rectangles Origins While analyzing PromptSpy, we noticed that it contains debug strings written in simplified Chinese. It even includes handling for various Chinese Accessibility event types (see Figure 8), a debug method that had been disabled in the code but not removed. The p