ESET reported a new Android malware family, PromptSpy, assessed as the first known Android malware to incorporate generative AI directly into its execution flow to improve reliability of on-device actions. PromptSpy uses predefined prompts to Google’s Gemini to interpret the device UI and guide gestures that keep the malicious app “locked”/pinned in the recent apps view (often shown as a padlock icon), making it harder for users or the OS to dismiss and aiding persistence. Reported capabilities include collecting device information, taking screenshots, recording screen activity, capturing lockscreen data, and interfering with uninstallation attempts; ESET noted it has not been observed in their telemetry and may currently be a proof of concept, with indicators suggesting a financially motivated campaign primarily affecting users in Argentina.
Technical reporting described PromptSpy sending Gemini an XML dump of the current screen and receiving JSON instructions indicating what action to take and where, iterating until the app is successfully pinned—an approach that can be more adaptable across device models, launchers, and OS versions than hard-coded taps/coordinates/UI selectors. Separate research coverage on so-called “promptware” framed prompt injection as a distinct class of risk where an LLM can function as an execution engine; while conceptually related to AI-enabled abuse, that discussion focused on general LLM prompt-injection threats rather than the specific PromptSpy Android malware implementation using Gemini for UI manipulation and persistence.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
On February 19, 2026, ESET publicly reported PromptSpy as the first known Android malware to use generative AI at runtime in its execution flow. The disclosure detailed its Gemini-based persistence technique, VNC remote-access capability, anti-removal behavior, and likely Argentina-focused financial-fraud distribution.
After analyzing the malware, ESET shared its findings with Google. Google Play Protect was reported to detect or block known PromptSpy versions, although the malware was not distributed through Google Play.
A more advanced PromptSpy variant incorporated Google's Gemini into its execution flow, using XML UI dumps and returned JSON instructions to pin itself in Android's Recent Apps list for persistence. The malware also used Accessibility Services, anti-uninstall overlays, and an embedded VNC module for remote control and spying.
Infrastructure distributing the malware was linked to dedicated websites impersonating JPMorgan Chase Bank under the 'MorganArg' branding, rather than Google Play. The setup suggested financially motivated targeting focused primarily on users in Argentina.
Researchers observed PromptSpy-related Android APK samples on VirusTotal in January, including submissions associated with Argentina. These samples helped establish the malware's existence and evolution toward Gemini-assisted persistence.
ESET identified an earlier variant related to PromptSpy, dubbed VNCSpy, indicating the malware family existed before the Gemini-assisted version. This earlier form focused on VNC-based remote access without the later generative-AI persistence enhancements.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
10 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcesecurityaffairs.com
Open sourcebankinfosecurity.com
Open sourcegovinfosecurity.com
Open sourcego.theregister.com
Open sourcewelivesecurity.com
Open sourcebleepingcomputer.com
Open sourcehelpnetsecurity.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.