Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

PromptSpy

PROMPTSPY is an Android backdoor first surfaced by ESET and described as a novel malware family that abuses Google Gemini APIs and Android accessibility/UI features to automate interaction with infected devices. Reported capabilities include analyzing the device UI structure, including sending a serialized XML representation of the visible UI hierarchy via a GeminiAutomationAgent component to the gemini-2.5-flash-lite model, parsing structured JSON responses into touch coordinates and gesture commands, and simulating clicks and swipes to autonomously manipulate the interface. The malware has been reported to gather device information, take screenshots, record screen activity as video, and capture lockscreen or authentication data, including PINs or lock patterns, to replay authentication gestures and regain access to a compromised device for follow-on exploitation. For persistence and anti-removal, PROMPTSPY uses a multi-layered defense mechanism that includes an AppProtectionDetector module to identify the on-screen Uninstall button and place an invisible overlay over it to intercept touch events, making removal appear unresponsive; it has also been reported to use Firebase Cloud Messaging to relaunch when the device becomes inactive and to keep itself pinned in the recent apps list. The malware initializes with hardcoded infrastructure and credentials but supports runtime rotation of critical components, including command-and-control infrastructure, Gemini API keys, and a VNC relay server, without redeploying the payload. Google reportedly disabled assets associated with the activity, stated that no apps containing PROMPTSPY were found on Google Play, and said Google Play Protect detects known versions. The content attributes discovery to ESET; no specific threat actor, infection vector, or targeted industry is stated with confidence in the provided material.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

27 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1592Gather Victim Host InformationEvidence1

PROMPTSPY’s “GeminiAutomationAgent” module serializes the device’s visible UI hierarchy into XML, sends it to Gemini’s gemini-2.5-flash-lite model, and receives structured JSON commands...

Resource Development

1 technique
T1587.001MalwareEvidence1

“AI-enabled malware, such as PROMPTSPY, signal a shift toward autonomous attack orchestration, where models interpret system states to dynamically generate commands and manipulate victim environments.”

Initial Access

3 techniques
T1133External Remote ServicesEvidence1

If the victim device becomes inactive, PROMPTSPY operators can utilize Firebase Cloud Messaging (FCM) to relaunch the backdoor, allowing the threat actor to continue their intrusion activity without alerting the victim.

T1566PhishingEvidence1

“…cached versions revealed they were likely trying to imitate a Chase Bank website.”

T1566.002Spearphishing LinkEvidence1

“distributed through malicious websites impersonating Chase Bank, using branding like ‘MorganArg.’ A related phishing app… helps deliver the final payload.”

Execution

3 techniques
T1059Command and Scripting InterpreterEvidence1

“AI-enabled malware, such as PROMPTSPY, signal a shift toward autonomous attack orchestration, where models interpret system states to dynamically generate commands and manipulate victim environments.”

T1574Hijack Execution FlowEvidence1

When a victim tries to uninstall it, PromptSpy locates the uninstall button on screen and places an invisible layer over it, intercepting the victim's tap so the button appears not to work.

T1648Serverless ExecutionEvidence2

“PromptSpy deploys a VNC module for remote control, abuses Accessibility Services to block removal…” … “After installation, it requests Accessibility permissions…” … “To prevent removal, it overlays invisible elements over uninstall buttons.”

Persistence

3 techniques
T1133External Remote ServicesEvidence1

If the victim device becomes inactive, PROMPTSPY operators can utilize Firebase Cloud Messaging (FCM) to relaunch the backdoor, allowing the threat actor to continue their intrusion activity without alerting the victim.

T1546.008Accessibility FeaturesEvidence1

GTIG also highlighted PROMPTSPY ... that abuses the Gemini API and accessibility features to interact with the Android user interface (UI) in an automated fashion.

T1547Boot or Logon Autostart ExecutionEvidence2

If the victim device becomes inactive, PROMPTSPY operators can utilize Firebase Cloud Messaging (FCM) to relaunch the backdoor, allowing the threat actor to continue their intrusion activity without alerting the victim.

Privilege Escalation

3 techniques
T1546.008Accessibility FeaturesEvidence1

GTIG also highlighted PROMPTSPY ... that abuses the Gemini API and accessibility features to interact with the Android user interface (UI) in an automated fashion.

T1547Boot or Logon Autostart ExecutionEvidence2

If the victim device becomes inactive, PROMPTSPY operators can utilize Firebase Cloud Messaging (FCM) to relaunch the backdoor, allowing the threat actor to continue their intrusion activity without alerting the victim.

T1548Abuse Elevation Control MechanismEvidence1

If the victim tries to uninstall PROMPTSPY, the malware employs its 'AppProtectionDetector' module to identify the on-screen coordinates of the 'Uninstall' button. The malware renders an invisible overlay directly over the button as a shield that silently intercepts and consumes the victim's touch events, making the button appear unresponsive to the user.

Stealth

4 techniques
T1036MasqueradingEvidence3

According to the researchers, the role of the prompt is to assign a benign persona so it can bypass the LLM's safety features.

T1070Indicator RemovalEvidence1

it intercepts uninstall attempts by rendering an invisible overlay over the uninstall button to silently consume touch events.

T1497.001System ChecksEvidence1

Promptspy used the Gemini API as an Android backdoor to analyze UI structure and simulate clicks, swipes, and even included a delete sabotage feature.

T1574Hijack Execution FlowEvidence1

When a victim tries to uninstall it, PromptSpy locates the uninstall button on screen and places an invisible layer over it, intercepting the victim's tap so the button appears not to work.

Credential Access

4 techniques
T1056Input CaptureEvidence9

PROMPTSPY embeds a module called GeminiAutomationAgent that sends a serialized XML representation of the victim device’s current UI hierarchy... and parses the model’s structured JSON response into specific touch coordinates and gesture commands.

T1056.003Web Portal CaptureEvidence1

placing a transparent overlay over the “delete” button to intercept touch events when the victim tries to delete the app

T1056.004Credential API HookingEvidence1

“PromptSpy submits a natural language prompt to Gemini, together with an XML dump of the device's current screen, and the chatbot returns JSON instructions for what action to perform and where to perform it…”

T1649Steal or Forge Authentication CertificatesEvidence1

It can also capture biometric replay artifacts to re-authenticate to a locked device

Discovery

1 technique
T1497.001System ChecksEvidence1

Promptspy used the Gemini API as an Android backdoor to analyze UI structure and simulate clicks, swipes, and even included a delete sabotage feature.

Lateral Movement

1 technique
T1021.005VNCEvidence1

“ESET calls it PromptSpy, malware whose primary goal is to deploy a VNC module that hands hackers remote control of infected devices.”

Collection

4 techniques
T1056Input CaptureEvidence9

PROMPTSPY embeds a module called GeminiAutomationAgent that sends a serialized XML representation of the victim device’s current UI hierarchy... and parses the model’s structured JSON response into specific touch coordinates and gesture commands.

T1056.003Web Portal CaptureEvidence1

placing a transparent overlay over the “delete” button to intercept touch events when the victim tries to delete the app

T1056.004Credential API HookingEvidence1

“PromptSpy submits a natural language prompt to Gemini, together with an XML dump of the device's current screen, and the chatbot returns JSON instructions for what action to perform and where to perform it…”

T1113Screen CaptureEvidence4

The malware contains an autonomous module that maps the visible layout of a device's screen, sends that layout to Gemini and receives back precise coordinates and gesture instructions like clicks and swipes that it then executes to navigate the phone on the attacker's behalf.

Command and Control

5 techniques
T1071Application Layer ProtocolEvidence1

If the victim device becomes inactive, PROMPTSPY operators can utilize Firebase Cloud Messaging (FCM) to relaunch the backdoor, allowing the threat actor to continue their intrusion activity without alerting the victim.

T1071.001Web ProtocolsEvidence2

Promptflux : A self-morphing dropper that calls the Gemini API to periodically rewrite its own source code

T1219Remote Access ToolsEvidence2

PROMPTSPY, an Android backdoor... sends a serialized XML representation of the victim device’s current UI hierarchy to the gemini-2.5-flash-lite model... and parses the model’s structured JSON response into specific touch coordinates and gesture commands

T1568Dynamic ResolutionEvidence2

Specifically, the malware’s command-and-control (C2) infrastructure, including the Gemini API keys and the VNC relay server, can be updated dynamically via the C2 channel.

T1573Encrypted ChannelEvidence1

“uses encrypted C2 communications.” … “communicates with its C2 server using AES-encrypted VNC traffic.”

Impact

1 technique
T1485Data DestructionEvidence1

Promptspy used the Gemini API as an Android backdoor to analyze UI structure and simulate clicks, swipes, and even included a delete sabotage feature.

Other

1 technique
T1562Impair DefensesEvidence1

Investigators identified an autonomous component called "GeminiAutomationAgent," which reportedly relies on a hardcoded prompt to help the malware evade AI safety mechanisms.

ACTIVITY FEED

Recent activity

30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

30 SOURCESView more in app
malware newsNews
May 29, 2026
The AI-Embedded SOC: An Operating Model for the Asymmetry Era - Malware News - Malware Analysis, News and Indicators

An Android backdoor that uses a GeminiAutomationAgent module to send serialized UI hierarchy data to gemini-2.5-flash-lite, parse structured responses into touch and gesture commands, capture biometric replay artifacts, and block uninstall attempts via invisible overlays.

Read more
detectNews
May 29, 2026
The AI-Embedded SOC: An Operating Model for the Asymmetry Era | by Omar Tarek Zayed | May, 2026 | Detect FYI

An Android backdoor that uses a GeminiAutomationAgent module to send serialized UI state to a Gemini model, receive structured action instructions, and autonomously interact with the device. It can also capture biometric replay artifacts and block uninstall attempts via an invisible overlay.

Read more
ahnlab asec blogNews
May 27, 2026
The proliferation and evolution of AI-powered hacking tools - how generative AI has changed the cyber attack ecosystem and response strategies - ASEC

Android backdoor that uses the Gemini API to analyze UI structure and simulate gestures for autonomous device interaction, including preventing app deletion via a transparent overlay.

Read more
cysecurity newsNews
May 25, 2026
Google Detects AI-Generated Zero-Day Exploit Targeting Web Admin Tool - CySecurity News - Latest Information Security and Hacking Incidents

Android malware that integrates with Gemini APIs to automate interactions on infected devices and appears capable of replaying authentication methods, including PINs and lock patterns, using AI-assisted techniques.

Read more
+23 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping27

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.