And yes, Google’s Gemini AI had no idea it was working for the bad guys.
Malware has always followed a script. Literal, hardcoded, rigid instructions telling it exactly where to tap, what to steal, and how to hide. For years, that rigidity was also its weakness. Change the screen layout, update the operating system, or swap languages, and the malware broke. Attackers had to rewrite code for every variation. It was expensive, slow, and frankly, a little exhausting for them.
Then someone had an idea.
What if the malware stopped following a fixed script and started asking AI what to do next?
That is exactly what PromptSpy does.
A Very Brief History of Android Malware
For context, Android malware traditionally worked like a very bad GPS with the destination already locked in. It knew which buttons to press because a human attacker had mapped out those coordinates in advance. Pixel 7 running Android 14 with a Chase Bank screen? The code knew tap coordinates (312, 847). Samsung Galaxy S23 with a slightly different layout? The malware either adapted with extra code, or it failed.
Every new device, language, or OS version meant more coding. Attackers had to build separate attack paths for each scenario. It was brute-force programming at scale.
PromptSpy threw that model out entirely. Here is where it gets interesting for your business.
What PromptSpy Actually Does
ESET researcher Lukáš Štefanko and his team identified PromptSpy as the first known Android malware to actively use Google’s Gemini AI as part of its attack logic. Not as a gimmick or party trick, but as a core functional component of how it operates.
Here is the sequence, step by step.
The malware takes a full XML snapshot of whatever is currently on your screen. That snapshot captures every visible element including text, button types, and exact positions. It sends that snapshot to Gemini along with a hardcoded prompt that introduces itself as an “Android automation assistant.” Gemini, not knowing it’s talking to malware, processes the screen data and returns structured JSON instructions: tap here, swipe there, enter this. The malware executes those instructions.
No hardcoded coordinates. No device-specific code. No brittle layout assumptions. The AI reads the screen and tells the malware what to do, and it works on virtually any Android device it lands on.
This is adaptive malware. The AI becomes the brain operating faster than any hacker ever could or would do.
The Staying Power Problem
PromptSpy is the adult child of Android malware. It does not steal the car and disappear. It moves in, claims a room, and installs itself in your startup processes.
PromptSpy’s primary goal is persistence, meaning it wants to stay on your device long after you wish it were gone. It is not loud. It is entrenched.
It uses Gemini to figure out how to keep itself pinned in your recent apps list so you cannot simply swipe it away. It also exploits Android’s Accessibility Services, a set of features designed to help people with disabilities control their devices. Attackers love these features because they allow apps to tap without user input, read screen content, and layer invisible overlays on top of normal app interfaces.
PromptSpy uses those invisible overlays to block uninstallation. If you try to remove it the normal way, the overlay intercepts your taps. It quietly resists eviction. The only reliable path to removing it is rebooting into Android Safe Mode, where third-party apps cannot run, and uninstalling it from there. Most people have never done that, and most people do not know it exists.
What It Steals
This is not lightweight spyware. PromptSpy:
- Captures your lock screen PIN or password
- Records your screen as live video
- Takes screenshots on demand
- Harvests your unique device details
- Grants attackers remote control through a built-in VNC module
That VNC module is worth pausing on. It connects to an attacker’s command-and-control server and gives a human criminal hands-on access to your phone. Your banking apps, your MFA codes, your corporate email, your password manager. All of it, visible and controllable by someone else.
How It Reaches People
PromptSpy does not live on Google Play. It spreads through dedicated malicious websites, specifically mgardownload[.]com and m-mgarg[.]com. The campaign impersonates JPMorgan Chase under the alias “MorganArg” and appears focused on users in Argentina. For now. What’s successful in one corner of the world quickly spreads like news of a house party when you’re away and your basement dweller knows it.
The infection path starts with a dropper app. The dropper asks permission to install apps from unknown sources. Once granted, it downloads the actual malicious APK disguised in Spanish as a legitimate bank update. ESET found simplified Chinese debug strings in the code, which points toward the malware being developed in a Chinese-speaking environment. The motivation appears to be financial.
Google Play Protect does flag and block known versions of PromptSpy, even outside the Play Store. That is worth knowing. The bigger story here, though, is not how this version spreads. It is what the technique itself makes possible going forward.
Why the AI Angle Matters Beyond This Campaign
Traditional malware broke when screen layouts changed. PromptSpy does not break. It adapts quickly and without human intervention!
Every Android device, every OS version, every app interface, every language becomes a potential target because the malware is not navigating by memory. It is navigating by live AI analysis. Attackers no longer need to write custom code for each device configuration. They hand off that decision-making to a model that processes whatever screen it sees.
This expands how many people attackers can reach. It also makes the malware cheaper and faster to build. The AI handles all of that complexity. Attackers get the results without doing the work.
Gemini is not the villain in this story. It had no idea it was being used this way. The abuse came entirely from how the malware framed its prompts. But the result is real: AI that was built to help people is being used, without its knowledge, as a tool to hurt them.
That tension is going to keep appearing. Defenders build AI tools to protect users, and attackers build AI tools to exploit them. The technology is neutral. The intent is not.
Four Things Your Business Should Do Right Now
These tips are practical, affordable, and do not require an enterprise security team.
Turn off installation from unknown sources on every work phone. This single setting blocks the delivery method PromptSpy and most advanced Android malware depend on. On Android, go to Settings, then Apps, then Special App Access, then Install Unknown Apps. Nothing in that list should have permission unless you specifically put it there.
Audit which apps have Accessibility permissions. Go to Settings, Accessibility, and look at which apps are listed. Banking apps, browsers, and health apps have no legitimate reason to hold those permissions. Revoke anything suspicious.
Treat phones like laptops. Your team’s phones hold corporate email, VPN access, MFA apps, and password managers. If you protect your laptops with endpoint security and you ignore phones, that gap is real and attackers know it. Basic mobile device management tools exist at SMB price points, including free tiers within Google Workspace and Microsoft 365 that most businesses already pay for.
Train your team to question urgent app updates from financial institutions. PromptSpy spread by impersonating a bank update. That is a classic social engineering pattern repurposed for mobile. Teach your people one rule: real banks push updates through official app stores, not through links in messages or pop-up prompts on websites.
The Story Is Still Being Written and Will Update Often
PromptSpy is not the end of the AI-in-malware story. It is the beginning. The technique works, it scales, and it reduces the cost and complexity of building adaptive attacks. Other threat actors are paying attention and will reuse this idea and expand upon it. Your basement denizen heard it from a friend and moved back home. Simple as that.
The good news is that the defenses against this attack are the same fundamentals that protect you against most threats. Limit what gets installed. Review what permissions apps hold. Treat your phone as seriously as your computer. Train your people on what phishing looks like when it wears a mobile costume.
You do not need to understand every technical detail of how PromptSpy works to protect your organization from it. You do need to take your phones seriously. Start there, and you will be ahead of most small businesses already.
That is not a small thing. That is progress.
CyberHoot Tip of the Day
Pull out your phone right now, go to Settings, find Accessibility, and look at which apps have access. If you see something you do not recognize, revoke it. It takes sixty seconds and costs nothing. Sixty seconds well spent is sixty seconds of real security you did not have before.
Laugh. Learn. Hoot Up.
Additional Resources
Secure your business with CyberHoot Today!
The post PromptSpy: The Android Malware That Hired an AI Assistant appeared first on CyberHoot.