PromptSpy Android Malware 2026: First Malware to Weaponize Google Gemini AI at Runtime

Cybersecurity researchers have discovered PromptSpy Android malware 2026, the first known Android malware that weaponizes Google’s Gemini AI during its execution. This groundbreaking threat uses generative AI to adapt to different Android devices and maintain persistence in ways traditional malware cannot, marking a concerning evolution in mobile security threats.

What Is PromptSpy Android Malware?

The PromptSpy Android malware 2026 was discovered by ESET researchers in February. According to BleepingComputer, this malware uses Google’s Gemini AI model to analyze on-screen elements and receive step-by-step instructions for staying locked in an infected device’s recent apps list—preventing users from easily removing it.

ESET researcher Lukáš Štefanko explained: “PromptSpy shows that Android malware is beginning to evolve in a sinister way. By relying on generative AI to interpret on-screen elements and decide how to interact with them, the malware can adapt to virtually any device, screen size, or UI layout.”

How PromptSpy Exploits Gemini AI

The PromptSpy Android malware 2026 works through a clever multi-step process. The Hacker News reports that PromptSpy sends Gemini a prompt along with an XML dump showing what’s currently visible on the infected device’s screen—including UI elements, text labels, class types, and screen coordinates.

Gemini processes this information and responds with JSON-formatted instructions telling the malware exactly where to tap or swipe. According to SecurityWeek, the malware executes these actions through Android’s Accessibility Services, retrieves the updated screen state, and sends it back to Gemini in a continuous loop until successfully locked in the recent apps list.

This AI-powered approach solves a major problem traditional Android malware faces. Android Authority notes that hardcoded tap coordinates and UI selectors typically break across different devices, Android versions, and screen sizes. By using Gemini, PromptSpy adapts to any configuration.

What PromptSpy Can Do

Beyond the AI-powered persistence mechanism, PromptSpy Android malware 2026 includes dangerous capabilities. The malware’s main purpose is deploying a VNC (Virtual Network Computing) module giving attackers complete remote access to infected devices.

According to ESET’s report, PromptSpy can:

• Capture lockscreen PINs or passwords
• Record the screen to obtain unlock patterns
• Take screenshots on demand
• Gather device information
• Block uninstallation through invisible overlays

The malware places transparent boxes over uninstall buttons, making them unresponsive when users try to remove it. The only removal method is rebooting in safe mode where third-party apps are blocked.

Distribution and Targets

The PromptSpy Android malware 2026 appears to target users in Argentina through fake banking apps. Android Headlines reports samples were distributed via dedicated phishing websites impersonating JPMorgan Chase under the name “MorganArg” (Morgan Argentina).

ESET discovered samples uploaded to VirusTotal from Hong Kong in January 2026 and from Argentina in February. While researchers haven’t yet observed PromptSpy in widespread distribution, the existence of dedicated distribution domains suggests it may have been actively used or was at least intended for real attacks beyond proof-of-concept.

Google’s Response

Following ESET’s disclosure, Google provided a statement confirming no apps containing PromptSpy were found on Google Play. “Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services,” a Google spokesperson said.

Security Brief notes that ESET shared its findings with Google through the App Defence Alliance channel before public disclosure, allowing Google to add PromptSpy signatures to Play Protect.

Why This Matters for Android Security

The PromptSpy Android malware 2026 represents a troubling evolution in mobile threats. Traditional malware relies on brittle scripting that fails across different devices. By leveraging generative AI, attackers can create adaptive malware that works regardless of Android version, device manufacturer, or screen layout.

The Register warns this is likely just the beginning. “More broadly, this campaign shows how generative AI can make malware far more dynamic and capable of real-time decision-making,” ESET stated. “PromptSpy illustrates how quickly attackers are beginning to misuse AI tools to improve impact.”

How to Protect Yourself

Given the PromptSpy Android malware 2026 threat, Android users should take several precautions:

• Only install apps from Google Play Store
• Keep Google Play Protect enabled (it’s on by default)
• Review app permissions carefully before granting them
• Be suspicious of apps requesting Accessibility Services access
• Avoid downloading apps from third-party websites
• Keep your Android device updated with latest security patches

If you suspect infection, reboot your device in safe mode (usually by holding power button and tapping “Power off” for several seconds), then uninstall suspicious apps through Settings.

The Bigger Picture

The PromptSpy discovery follows ESET’s August 2025 announcement of PromptLock, the first AI-powered ransomware. Together, these threats demonstrate how quickly cybercriminals are weaponizing generative AI capabilities.

As Security Affairs notes, attackers are no longer just using AI to create phishing emails or fake websites—they’re integrating AI directly into malware execution, creating threats that adapt and evolve in real-time.

The PromptSpy Android malware 2026 may be limited in scope today, but it signals where mobile security is heading. As AI models become more capable and accessible, expect cybercriminals to find increasingly creative ways to exploit them. The arms race between security researchers and threat actors has entered a new AI-powered phase.

 

Read more tech related articles here.