ESET researchers uncovered the primary recognized case of Android malware abusing generative AI for context-aware person interface manipulation. Whereas machine studying has been used to comparable ends already \u2013 only in the near past, researchers at Dr.WEB discovered Android.Phantom<\/a>, which makes use of TensorFlow machine studying fashions to research commercial screenshots and robotically click on on detected parts for big scale advert fraud \u2013 that is the primary time we’ve got seen generative AI deployed on this method. As a result of the attackers depend on prompting an AI mannequin (on this occasion, Google\u2019s Gemini) to information malicious UI manipulation, we’ve got named this household PromptSpy. That is the second AI powered malware we’ve got found \u2013 following PromptLock<\/a> in August 2025, the primary recognized case of AI-driven ransomware.<\/p>\n Whereas generative AI is deployed solely in a comparatively minor a part of PromptSpy’s code \u2013 that liable for attaining persistence \u2013 it nonetheless has a big affect on the malware’s adaptability. Particularly, Gemini is used to research the present display screen and supply PromptSpy with step-by-step directions on how to make sure the malicious app stays pinned within the latest apps listing, thus stopping it from being simply swiped away or killed by the system. The AI mannequin and immediate are predefined within the code and can’t be modified. Since Android malware usually depends on UI navigation, leveraging generative AI permits the menace actors to adapt to kind of any system, structure, or OS model, which may tremendously broaden the pool of potential victims.<\/p>\n The principle objective of PromptSpy is to deploy a built-in VNC module, giving operators distant entry to the sufferer\u2019s system. This Android malware additionally abuses the Accessibility Service to dam uninstallation with invisible overlays, captures lockscreen information, data video. It communicates with its C&C server through the VNC protocol, utilizing AES encryption.<\/p>\n Based mostly on language localization clues and the distribution vectors noticed throughout evaluation, this marketing campaign seems to be financially motivated and appears to primarily goal customers in Argentina. Apparently, analyzed PromptSpy samples counsel that it was developed in a Chinese language\u2011talking surroundings.<\/p>\n PromptSpy is distributed by a devoted web site and has by no means been out there on Google Play. As an App Protection Alliance companion, we however shared our findings with Google. Android customers are robotically protected towards recognized variations of this malware by Google Play Defend<\/a>, which is enabled by default on Android gadgets with Google Play Providers.<\/p>\n Key factors of this blogpost:<\/strong><\/p>\n Although PromptSpy makes use of Gemini in simply one in all its options, it nonetheless demonstrates how incorporating these AI instruments could make malware extra dynamic, giving menace actors methods to automate actions that will usually be harder with conventional scripting.<\/p>\n As was briefly talked about already, Android malware normally relies on hardcoded display screen options akin to faucets, coordinates, or UI selectors \u2013 strategies that may break with UI modifications throughout gadgets, OS variations, or producer skins. PromptSpy goals to attain persistence by staying embedded within the listing of latest apps by executing the \u201clock app in latest apps\u201d gesture (the complete course of is described within the Evaluation<\/a> <\/em>part), which varies between gadgets and producers. This makes it tough to automate with mounted scripts historically utilized by Android malware.<\/p>\n PromptSpy due to this fact takes a very totally different strategy: it sends Gemini a pure\u2011language immediate together with an XML dump of the present display screen, giving the AI an in depth view of each UI aspect: its textual content, sort, and precise place on the show.<\/p>\n Gemini processes this info and responds with JSON directions that inform the malware what motion to carry out (for instance, a faucet) and the place to carry out it. The malware saves each its earlier prompts and Gemini\u2019s responses, permitting Gemini to grasp context and to coordinate multistep interactions.<\/p>\n Determine 1 exhibits a code snippet of PromptSpy\u2019s initialization of communication with Gemini, together with the primary immediate used. By handing the decision-making over to Gemini, the malware can acknowledge the right UI aspect and carry out the suitable gesture, holding the malware alive even when the person tries to shut it.<\/p>\n PromptSpy continues prompting Gemini till the AI confirms that the app has been efficiently locked, displaying a suggestions loop the place the malware waits for validation earlier than transferring on.<\/p>\n In February 2026, we uncovered two variations of a beforehand unknown Android malware household. The primary model, which we named VNCSpy, appeared on VirusTotal on January 13th<\/sup>, 2026 and was represented by three samples uploaded from Hong Kong. On February 10th<\/sup>, 2026, 4 samples of extra superior malware based mostly on VNCSpy had been uploaded to VirusTotal from Argentina.<\/p>\n Our evaluation of the samples from Argentina revealed multistage malware with a malicious payload that misuses Google\u2019s Gemini. Based mostly on these findings, we named the primary stage of this malware PromptSpy dropper, and its payload PromptSpy.<\/p>\n It needs to be famous that we haven\u2019t but seen any samples of the PromptSpy dropper or its payload in our telemetry, which could point out that each of them are simply proofs of idea. Nonetheless, based mostly on the existence of a attainable distribution area described within the following paragraphs, we can not low cost the opportunity of the PromptSpy dropper and PromptSpy present within the wild.<\/p>\n In response to VirusTotal information, all 4 PromptSpy dropper samples had been distributed via the web site mgardownload[.]com<\/span>; it was already offline throughout our evaluation.<\/p>\n After putting in and launching PromptSpy dropper, it opened a webpage hosted on m\u2011mgarg[.]com<\/span>. Though this area was additionally offline, Google\u2019s cached model revealed that it possible impersonated a Chase Financial institution (legally, JPMorgan Chase Financial institution N.A.) website (see Determine 2).<\/p>\n The malware makes use of comparable branding, with the app title MorganArg<\/span> and the icon impressed by Chase financial institution (see Determine 3). MorganArg<\/span>, possible a shorthand for \u201cMorgan Argentina\u201d, additionally seems because the title of the cached web site, suggesting a regional focusing on focus.<\/p>\n We used the m-mgarg[.]com<\/span> area to pivot in VirusTotal, main us to one more Android malware pattern (Android\/Phishing.Agent.M). VirusTotal confirmed the spoofed web site in Spanish, with an Iniciar sesi\u00f3n<\/span> (Login) button, indicating that the web page was in all probability supposed to imitate an internet site of a financial institution (see Determine 4).<\/p>\n This trojan seems to operate as a companion utility developed by the identical menace actor behind VNCSpy and PromptSpy. Within the background, the trojan contacts its server to request a configuration file, which features a hyperlink to obtain one other APK, introduced to the sufferer, in Spanish, as an replace. Throughout our analysis, the configuration server was now not accessible, so the precise obtain URL stays unknown. Nonetheless, on condition that it makes use of the identical distinctive financial institution spoofing web site, the identical app title, icon, and, most significantly, is signed by the identical distinctive developer certificates because the PromptSpy dropper \u2013 we strongly suspect this app might function the preliminary stage designed to guide victims towards putting in PromptSpy.<\/p>\n Each VNCSpy and PromptSpy embody a VNC part, giving their operators full distant entry to compromised gadgets as soon as victims allow Accessibility Providers (see Determine 5). This enables the malware operators to see every thing taking place on the system, and to carry out faucets, swipes, gestures, and textual content enter as if they had been bodily holding the cellphone.<\/p>\n On high of the malicious capabilities already contained in VNCSpy, PromptSpy provides AI\u2011assisted UI manipulation, serving to it keep persistence by holding the malicious app pinned within the latest apps listing (an instance of how the lock is indicated within the listing could be seen in Determine 6).<\/p>\n We consider this performance is used earlier than the VNC session is established, in order that the person or system won’t kill the PromptSpy exercise from the listing of latest apps. In Determine 7, you possibly can see PromptSpy community communication with Gemini AI.<\/p>\n Whereas analyzing PromptSpy, we seen that it accommodates debug strings written in simplified Chinese language. It even contains dealing with for numerous Chinese language Accessibility occasion varieties (see Determine 8), a debug technique that had been disabled within the code however not eliminated. The first objective of this technique is to supply a localized (Chinese language) clarification for numerous accessibility occasions that happen on an Android system. This makes the occasion logs extra comprehensible for Chinese language-speaking customers or builders, relatively than simply displaying uncooked integer codes.<\/p>\n With medium confidence, these particulars counsel that PromptSpy was developed in a Chinese language\u2011talking surroundings.<\/p>\n Our technical evaluation focuses on the PromptSpy dropper and its payload, PromptSpy. PromptSpy is embedded (app-release.apk<\/span>) contained in the dropper\u2019s asset listing. This APK holds the core malicious performance. When the dropper is launched, it shows a immediate urging the person to put in what seems to be an up to date model of the app. This \u201creplace\u201d is definitely the PromptSpy payload, which the person should set up manually (see Determine 9).<\/p>\n As soon as put in and launched, PromptSpy requests Accessibility Service<\/em><\/a> permissions, giving the malware the power to learn on\u2011display screen content material and carry out automated clicks.<\/p>\n Then PromptSpy exhibits a easy loading-style decoy display screen within the foreground (see Determine 10). In the meantime, within the background, it begins speaking with Gemini AI to acquire directions wanted to lock its course of within the Latest Apps listing \u2013 a easy persistence approach that permits PromptSpy to stay energetic and locked in place even after the system is rebooted.<\/p>\n When the person sees the Loading, please wait<\/span> exercise, PromptSpy makes use of Accessibility Providers to open the Latest Apps display screen and gather detailed UI info: seen textual content, content material descriptions, class names, package deal names, and display screen bounds. It serializes this dynamic UI snapshot as XML and contains it in its immediate to Gemini. Gemini then returns step-by-step faucet directions on tips on how to obtain the \u201capp lock\u201d gesture.<\/p>\n This course of kinds a steady loop:<\/p>\n The loop continues till Gemini confirms that the app is efficiently locked in latest apps. Right here is an instance construction:<\/p>\n All actions steered by Gemini \u2013 faucets, swipes, navigation \u2013 are executed via Accessibility Providers, permitting the malware to work together with the system with out person enter.<\/p>\n PromptSpy\u2019s essential malicious functionality lies in its constructed\u2011in VNC service. This enables attackers to remotely view the sufferer\u2019s display screen in actual time and absolutely management the system.<\/p>\n The malware communicates with its hardcoded command\u2011and\u2011management (C&C) server at 54.67.2[.]84<\/span> utilizing the VNC protocol; the messages are AES-encrypted utilizing a hardcoded key. By way of this communication channel, the malware can:<\/p>\n PromptSpy additionally misuses Accessibility Providers as an anti\u2011removing mechanism. When the person makes an attempt to uninstall the payload or disable Accessibility Providers, the malware overlays clear rectangles on particular display screen areas – significantly over buttons containing substrings like cease<\/span>, finish<\/span>, clear<\/span>, and Uninstall<\/span>. These overlays are invisible to the person however intercept interactions, making removing tough. In Determine 11, we\u2019ve run PromptSpy with the debug flag enabled (saved there by builders) that will set the colour of the clear rectangle, to visualise the place they’re particularly displayed. Nonetheless, on the precise system, they’re absolutely invisible.<\/p>\n As a result of PromptSpy blocks uninstallation by overlaying invisible parts on the display screen, the one manner for a sufferer to take away it’s to reboot the system into Protected Mode, the place third\u2011get together apps are disabled and could be uninstalled usually.<\/p>\n To enter Protected Mode, customers ought to usually press and maintain the facility button, lengthy\u2011press Energy off, and make sure the Reboot to Protected Mode immediate (although the precise technique might differ by system and producer). As soon as the cellphone restarts in Protected Mode, the person can go to Settings \u2192 Apps \u2192 MorganArg and uninstall it with out interference.<\/p>\n PromptSpy exhibits that Android malware is starting to evolve in a sinister manner. By counting on generative AI to interpret on\u2011display screen parts and determine tips on how to work together with them, the malware can adapt to nearly any system, display screen measurement, or UI structure it encounters. As a substitute of hardcoded faucets, it merely arms AI a snapshot of the display screen and receives exact, step\u2011by\u2011step interplay directions in return, serving to it obtain a persistence approach immune to UI modifications.<\/p>\n Extra broadly, this marketing campaign exhibits how generative AI could make malware much more dynamic and able to actual\u2011time resolution\u2011making. PromptSpy is an early instance of generative AI\u2011powered Android malware, and it illustrates how shortly attackers are starting to misuse AI instruments to enhance affect.<\/p>\n A complete listing of indicators of compromise (IoCs) and samples could be present in our GitHub repository<\/a>.<\/p>\n\n
\n
PromptSpy\u2019s AI-powered performance<\/h2>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-1.png\" "\\"Figure")
PromptSpy overview<\/h2>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-2.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-3.png\" "\\"\\"")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-4.jpg\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-5.png\" "\\"\\"")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-6.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-7.jpg\" "\\"Figure")
Origins<\/h3>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-8.png\" "\\"Figure")
Evaluation<\/h2>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-9.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-10.png\" "\\"\\"")
\n
\n
\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/02-26\/promptspy\/figure-11.jpg\" "\\"Figure")
Conclusion<\/h2>\n
\n
IoCs<\/h2>\n
Information<\/h3>\n
\n\n
\n SHA-1<\/strong><\/td>\n Filename<\/strong><\/td>\n Detection<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n\n \n 6BBC9AB132BA066F6367 internet.ustexas. Android\/Spy.VNCSpy.A<\/td>\n Android VNCSpy malware.<\/td>\n<\/tr>\n \n 375D7423E63C8F5F2CC8 nlll4.un7o6. Android\/Spy.VNCSpy.A<\/td>\n Android VNCSpy malware.<\/td>\n<\/tr>\n \n 3978AC5CD14E357320E1 ppyzz.dpk0p. Android\/Spy.VNCSpy.A<\/td>\n Android VNCSpy malware.<\/td>\n<\/tr>\n \n E60D12017D2DA579DF87 mgappc-1.apk<\/span><\/td>\n Android\/Spy.PromptSpy.A<\/td>\n Android PromptSpy dropper.<\/td>\n<\/tr>\n \n 9B1723284E3117949879 mgappm-1.apk<\/span><\/td>\n Android\/Spy.PromptSpy.A<\/td>\n Android PromptSpy dropper.<\/td>\n<\/tr>\n \n 076801BD9C6EB78FC033 mgappn-0.apk<\/span><\/td>\n Android\/Spy.PromptSpy.A<\/td>\n Android PromptSpy dropper.<\/td>\n<\/tr>\n \n 8364730E9BB2CF3A4B01 mgappn-1.apk<\/span><\/td>\n Android\/Spy.PromptSpy.A<\/td>\n Android PromptSpy dropper.<\/td>\n<\/tr>\n \n F8F4C5BC498BCCE907DC app-release. Android\/Spy.PromptSpy.A<\/td>\n Android PromptSpy.<\/td>\n<\/tr>\n \n C14E9B062ED28115EDE0 mgapp.apk<\/span><\/td>\n Android\/Phishing.Agent.M<\/td>\n Android phishing malware.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Community<\/h2>\n
![\"\"](\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\")
<\/a><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"