This Android Malware Asks Google's AI How to Survive on Your Phone

Malware Just Got a Brain

Traditional Android malware follows a script. It has a fixed set of instructions, targets specific screen coordinates, and breaks whenever a device maker changes the interface. PromptSpy, discovered by ESET researcher Lukáš Štefanko in February 2026, throws that playbook out entirely.

Instead of relying on hardcoded commands, PromptSpy calls Google's Gemini AI model at runtime, feeds it a live snapshot of whatever is on screen, and asks it what to do next. When Gemini responds with step by step JSON instructions, the malware executes them automatically. It is, according to ESET, the first Android malware to integrate generative AI directly into its execution flow.

How PromptSpy Works

The attack chain is deceptively simple. PromptSpy assigns Gemini the persona of an "Android automation assistant," then feeds it an XML dump of the current screen, including every visible UI element, text label, class type, and screen coordinate. Gemini processes the data and returns structured JSON instructions telling the malware exactly which button to tap, which menu to open, or which setting to change.

The malware's primary persistence trick is keeping itself pinned in the recent apps list so it cannot be easily swiped away or killed by the operating system. Because Gemini reads the screen in real time, PromptSpy can adapt to virtually any device, screen size, or UI layout it encounters, whether that is a Samsung Galaxy, a Google Pixel, or a budget phone from a manufacturer that heavily customizes Android.

The loop continues until Gemini confirms the objective is achieved. The malware captures the updated screen state after each action, sends it back, and waits for the next instruction. It is essentially a human operator replaced by an AI agent.

What PromptSpy Steals

The AI integration is just the persistence layer. Once PromptSpy has secured its foothold, it deploys an embedded VNC module that grants attackers full remote access to the compromised device. From there, the malware can:

• Capture your lockscreen PIN, password, or pattern unlock via screen recording
• Take screenshots on demand
• Record screen activity as video
• Harvest device information and credentials
• Control the device remotely in real time

The malware also uses invisible overlays to block standard uninstallation. Victims who try to remove it through normal settings will find the uninstall button unresponsive, since PromptSpy places an invisible layer over it.

Who Is Behind It

ESET's analysis points to a financially motivated operation targeting users in Argentina. The dropper app impersonates JPMorgan Chase under the brand "MorganArg" (referencing Morgan Argentina) and is distributed through a dedicated phishing website, not the Google Play Store. Victims receive instructions in Spanish requesting permission to install apps from unknown sources.

Interestingly, debug strings written in simplified Chinese suggest the malware was developed in a Chinese speaking environment. The first version, called VNCSpy, appeared on VirusTotal on January 13, 2026, uploaded from Hong Kong. The more advanced PromptSpy variants followed on February 10.

Why This Changes the Threat Landscape

PromptSpy is a proof of concept that threat actors have been watching. Malware that uses AI to interpret screens and decide its own next move eliminates the biggest bottleneck in mobile malware development: dealing with Android's fragmented ecosystem. There are thousands of different Android device models running dozens of manufacturer skins, and previously, malware authors had to account for each one manually.

With Gemini handling the navigation, a single malware build can work across all of them. Security researchers warn this technique could be extended beyond persistence to credential theft, data exfiltration, and social engineering, essentially giving malware the ability to "see" and "think" its way through any interface it encounters.

How to Protect Yourself

Google confirmed that Android users with Google Play Services are automatically protected through Play Protect, which blocks known versions of PromptSpy. However, the malware was never distributed through Google Play, so the standard store protections do not apply to sideloaded apps.

If you suspect your device is infected, reboot into Safe Mode (hold the power button, then long press the "Power Off" option). In Safe Mode, third party apps are disabled and can be uninstalled normally. Beyond that:

• Never install apps from unknown sources, especially ones sent via links in emails or text messages
• Be skeptical of any app that requests accessibility service permissions
• Keep Google Play Protect enabled on your device
• Review your installed apps regularly and remove anything you do not recognize

The Bigger Picture

PromptSpy is a warning shot. Generative AI has lowered the barrier to entry for sophisticated cyberattacks, and mobile malware was always going to be next. The question is no longer whether attackers will use AI, but how quickly the technique spreads beyond a single financially motivated group in Argentina to the broader malware ecosystem.

For Android users, the immediate lesson is simple: your phone's AI assistant is not the only one paying attention to what is on your screen. And for the security community, PromptSpy marks the moment when malware stopped following scripts and started thinking for itself.