In a landmark discovery for mobile security, researchers at ESET Research have identified a sophisticated Android malware family, dubbed PromptSpy, which represents the first known instance of a mobile threat leveraging generative artificial intelligence (AI) at runtime to ensure its survival on compromised devices. Discovered in February 2026, the malware specifically abuses Google’s Gemini AI to interpret on-screen elements and provide dynamic, step-by-step instructions for maintaining persistence. This development follows the discovery of PromptLock in August 2025, the first AI-powered ransomware, signaling a rapid acceleration in the weaponization of large language models (LLMs) by cybercriminals.
The malware was first detected when ESET researcher Lukáš Štefanko identified samples uploaded to VirusTotal from Hong Kong in January 2026, followed by more advanced versions from Argentina in early February. PromptSpy is distributed through a dedicated website, mgardownload[.]com, masquerading as a legitimate application for "Morgan Argentina," a fake entity using JPMorgan Chase branding. Once installed, the malware’s primary objective is to deploy a Virtual Network Computing (VNC) module, granting attackers remote access to the victim’s device. However, its most innovative feature is its use of Gemini to solve the "persistence problem" that has long plagued Android malware developers.
Traditional Android malware often relies on hardcoded scripts to perform UI actions, such as clicking buttons or swiping to lock an app in the "recent apps" list. These scripts frequently fail due to the extreme fragmentation of the Android ecosystem, where different manufacturers, screen sizes, and OS versions alter the layout of system menus. PromptSpy bypasses this by taking an XML dump of the current screen—a detailed map of every UI element—and sending it to Gemini with a natural language prompt. The AI, acting as an "Android automation assistant," analyzes the layout and returns JSON-formatted instructions telling the malware exactly where to tap or swipe to pin itself in memory, preventing the system or the user from easily killing the process.
According to ESET, this AI-driven feedback loop continues until the model confirms the app is successfully locked. While the generative AI component currently handles only a small portion of the malware's total code, its impact on adaptability is profound. By delegating decision-making to an LLM, the threat actors have created a "universal" persistence mechanism that can adapt to virtually any Android device without requiring the developers to write custom code for every possible UI configuration. This significantly lowers the barrier to entry for maintaining long-term access to high-value targets.
Beyond its AI capabilities, PromptSpy is a potent surveillance tool. It abuses Android’s Accessibility Services to capture lockscreen PINs, record screen activity as video, and take on-demand screenshots. It also employs aggressive anti-uninstallation techniques by using invisible overlays to intercept taps on "Uninstall" or "Deactivate" buttons. Analysis of the code, which includes debug strings in simplified Chinese, suggests the malware was likely developed in a Chinese-speaking environment, though its current campaign appears focused on financial targets in Argentina. ESET has shared these findings with Google through the App Defense Alliance, and users are currently protected by Google Play Protect, which identifies and blocks known variants of the PromptSpy dropper and payload.
The emergence of PromptSpy marks a critical inflection point in the cat-and-mouse game between security vendors and malware authors. For years, the industry has debated whether AI-powered malware was a theoretical "proof of concept" or a looming reality. PromptSpy confirms that threat actors are now moving beyond using AI for phishing or code generation and are integrating it directly into the execution flow of malicious binaries. This shift toward "agentic" malware—software that can perceive its environment and make autonomous decisions to achieve a goal—poses a unique challenge to traditional signature-based and even behavioral detection systems.
From a technical perspective, the use of legitimate APIs like Gemini’s to facilitate malicious activity creates a "living off the land" scenario for AI. Because the malware is communicating with a trusted Google service, its traffic may appear less suspicious to network monitoring tools. Furthermore, as LLMs become more integrated into mobile operating systems, the attack surface for this type of manipulation will only expand. We are likely to see a trend where malware no longer carries a fixed set of instructions but instead carries a set of "objectives," relying on cloud-based or on-device AI to figure out the most effective way to execute those objectives based on the specific context of the victim's device.
Looking forward, the success of PromptSpy’s persistence mechanism will likely inspire other threat groups to adopt similar tactics for bypassing security controls. We can expect future iterations to use AI for more than just persistence; generative models could be used to dynamically generate phishing overlays that match the exact style of a victim's banking app or to autonomously navigate complex security settings to grant themselves further permissions. For the cybersecurity industry, this necessitates a move toward AI-native defense strategies that can identify the subtle patterns of AI-to-AI communication and detect when legitimate automation tools are being subverted for malicious ends. As U.S. President Trump’s administration continues to emphasize domestic technological resilience, the intersection of AI and national security will remain a primary focus for both regulators and the private sector throughout 2026.
Explore more exclusive insights at nextfin.ai.
