Security researchers at ESET have uncovered PromptSpy, the first known Android malware to use generative AI during execution. Instead of relying on hard-coded scripts, this malware uses Google’s Gemini AI to understand on-screen elements and keep itself alive on infected devices. The discovery marks a major shift in how Android threats adapt to different devices, screen layouts, and OS versions .
Unlike earlier malware that broke when interfaces changed, PromptSpy actively interprets the user interface in real time. This approach allows it to persist across manufacturers and Android skins, significantly increasing its potential impact.
What Is PromptSpy?
PromptSpy is an advanced Android spyware family discovered by ESET researchers. It builds on an earlier strain known as VNCSpy but adds a new capability: AI-assisted UI manipulation.
The malware does not use generative AI to write text or generate code. Instead, it abuses AI to analyze the device’s screen and decide exactly where to tap or swipe to remain active. This technique allows PromptSpy to survive actions that usually kill malicious apps, such as clearing recent apps or rebooting the phone.
How PromptSpy Uses Generative AI
PromptSpy integrates Google Gemini in a very specific way. The malware captures a full XML dump of the current screen, including button labels, positions, and UI structure. It then sends this data to Gemini with a predefined prompt.
Gemini responds with JSON-formatted instructions that tell the malware exactly what action to perform, such as a tap, long-press, or swipe. PromptSpy executes the action using Android’s Accessibility Service and repeats the process until Gemini confirms success .
This feedback loop allows the malware to lock itself in the Recent Apps list, a persistence method that normally varies across devices and manufacturers.
What PromptSpy Can Do on an Infected Android Device
Although AI plays a small role in its code, PromptSpy remains a powerful spyware tool. Its main payload includes a built-in VNC remote access module, which gives attackers full control over the infected device.
Once active, PromptSpy can:
- View and control the screen in real time
- Capture lockscreen PINs and passwords
- Record screen activity as video
- Take screenshots on demand
- Collect device and installed-app information
- Block uninstallation using invisible overlays
The malware encrypts its command-and-control traffic using AES and communicates through the VNC protocol, making detection more difficult .
How PromptSpy Is Distributed and Who It Targets
Researchers observed PromptSpy distributed through dedicated websites, not through the Google Play Store. Some samples impersonated banking services, including fake login pages designed to trick users into installing the malware.
Analysis suggests that early campaigns mainly targeted users in Argentina, while code artifacts indicate development in a Chinese-speaking environment. However, researchers have not yet seen widespread infections, which raises the possibility that PromptSpy currently exists as a limited campaign or proof of concept .
Why PromptSpy Is a Serious Threat to Android Security
PromptSpy shows how generative AI can remove long-standing limitations in malware automation. Traditional Android malware breaks when UI layouts change. PromptSpy avoids this problem by asking an AI model how to interact with whatever screen it sees.
This approach makes future threats more adaptable, harder to remove, and easier to scale across devices. Even though PromptSpy uses AI only for persistence, the concept opens the door to far more advanced real-time decision-making in mobile malware.
How Android Users Can Stay Safe From PromptSpy
Android users can reduce risk by following basic security practices:
- Avoid installing apps from unknown websites
- Keep Google Play Protect enabled
- Review Accessibility permissions carefully
- Reboot into Safe Mode if an app refuses to uninstall
In Safe Mode, third-party apps cannot block removal, allowing users to delete persistent malware successfully.
PromptSpy represents a clear warning sign for mobile security. By combining spyware with generative AI, attackers can build malware that adapts on the fly instead of relying on fragile scripts. While current samples appear limited, the technique itself is powerful and likely to spread.
As AI tools become more accessible, defenders must assume that future Android malware will think, adapt, and persist in ways that traditional detection methods were never designed to handle.
Source: WeLiveSecurity
