PromptSpy, the first known Android malware to dynamically exploit Google's Gemini generative AI to alter user interfaces during attacks, was discovered by ESET researchers This article explores promptspy malicious app. . With the use of AI to modify persistence mechanisms across various Android devices and layouts, this threat represents a change in mobile malware strategies.

Gemini is only used by PromptSpy to keep the malicious app locked in the list of recently installed apps, avoiding simple swipes or system kills.

The malware sends a hardcoded natural-language prompt to Gemini, which serves as a "Android automation assistant," along with an XML dump of the current screen that includes the text, type, and position of every UI element. For accurate taps, long clicks, or swipes, Gemini reacts with JSON instructions, generating a feedback loop until success is verified by visual cues like a padlock icon. The drawbacks of conventional hardcoded coordinates or selectors—which malfunction across OS versions, manufacturers, or skins—are addressed by this method.

PromptSpy increases the number of victims by using AI to automate context-aware gestures without the need for unique scripts for each device.

Hardcoded prompts in a snippet of malware code (Source: welivesecurity) After the PromptLock ransomware in August 2025, this is the second AI-malware discovery, according to ESET, underscoring the expanding role of generative AI in dynamic threat execution. Essential Malevolent Elements In addition to AI persistence, PromptSpy's main feature is the deployment of a VNC module for remote operator access, which permits full-screen viewing and control via inputs, swipes, and taps. In order to read screen content, block uninstalls with invisible overlays on buttons like "Uninstall" or "Stop," record activity, take screenshots, record lockscreen PINs or patterns via video, and report device details or foreground apps, it misuses accessibility services.

AES-encrypted messages are sent via the VNC protocol to a hardcoded C2 server located at 54.67.2[. ]84.

The malware targets screen recordings for operator-specified apps, asks C2 for a Gemini API key, and lists installed apps. Google's cached information for the fraudulent website (Source: welivesecurity) Standard uninstalls are rendered ineffective by anti-removal overlays; in order to turn off and delete third-party apps, victims must restart into Safe Mode, usually by long-pressing Power off from the power menu. Attribution and Distribution In January 2026, VNCSpy precursors from Hong Kong and advanced PromptSpy droppers from Argentina appeared on VirusTotal.

Droppers posed as "MorganArg" apps that imitated Chase Bank and were distributed via mgardownload[. ]com (offline), requiring manual payload installs from embedded app-release.apk. On m-mgarg[. ]com, a companion phishing trojan distributed phony Spanish banking websites and signing certificates.

While handlers for Chinese accessibility events and debug strings in simplified Chinese indicate development in a Chinese-speaking environment, localization clues indicate financial motivations aimed at Argentina. In order to install PromptSpy, Dropper asks for permission to install unknown apps (Source: welivesecurity). Distribution domains suggest wild deployment, but no telemetry hits suggest a potential proof-of-concept status.

Through the App Defense Alliance, ESET shared its findings with Google; Play Protect automatically blocks known variants. Details of the IP/Domain Initially Observed Hosting 52.222.205[. ]45 m-mgarg[. ]com (phishing) 2026-01-12 Amazon 54.67.2[.

]84 C2 server N/A 104.21.91 on Amazon[. ]170 mgardownload[. ]com (distribution) Cloudflare 2026-01-13 Welivesecurity claims that promptSpy alerts users to changing Android threats, where AI allows for real-time adaptation, and that sideloading and accessibility prompts should be avoided. Complete IoCs on ESET's GitHub.