Security researchers have recently identified a significant advancement in mobile threats with the emergence of PromptSpy, an Android Trojan that utilizes generative AI technology to enhance its persistence on compromised devices. Discovered by ESET researchers earlier this month, this malware represents a concerning evolution in the landscape of mobile security.
How PromptSpy Operates
PromptSpy leverages Google’s Gemini AI model to analyze the screens of infected devices, generating tailored instructions that allow it to embed itself within the recent apps lists. By sending natural-language prompts alongside XML screen data to Gemini, the malware receives dynamic guidance that adapts to various Android interfaces and operating system versions.
While generative AI is primarily responsible for maintaining persistence, the core functionality of PromptSpy includes a Virtual Network Computing (VNC) module that grants attackers full remote control over the infected device. Once the malware is installed, it enables a range of malicious activities, including:
- Viewing the device’s screen
- Performing actions remotely
- Capturing lock screen data
- Blocking uninstallation attempts
- Gathering device information
- Taking screenshots
- Recording screen activity as video
To communicate with command-and-control servers, PromptSpy employs AES encryption and exploits Android Accessibility Services, making it difficult to remove by using invisible overlays.
Distribution and Targeting
The malware is distributed through a dedicated website rather than the Google Play Store, with ESET sharing its findings through the App Defense Alliance partnership. Google Play Protect automatically blocks known versions of the malware on devices equipped with Google Play Services.
“This campaign appears to be financially motivated,”
ESET researcher Lukáš Štefanko remarked in the company’s announcement. “Since Android malware often relies on UI-based navigation, leveraging generative AI enables threat actors to adapt to more or less any device, layout, or operating system version, which can greatly increase the pool of potential victims.”
PromptSpy marks ESET’s second discovery of AI-powered malware, following the identification of PromptLock in August 2025, which was recognized as the first known instance of AI-driven ransomware.
Implications for the Future
While PromptSpy has not yet been observed in widespread campaigns, it serves as a proof-of-concept for the potential misuse of commercial AI tools by attackers. The malware’s adaptability is attributed to its ability to replace traditional hardcoded coordinates with AI-generated navigation instructions, allowing it to function seamlessly across various interface variations. This innovative approach addresses limitations that typically hinder malware performance due to minor UI changes between different Android versions or manufacturer skins.
ESET’s analysis indicates that the malware is regionally targeted, with a focus on Argentina based on language clues and distribution methods. However, samples suggest that its development may have occurred in a Chinese-speaking environment. Notably, the same threat actor is believed to be responsible for both VNCSpy and PromptSpy, further highlighting the evolving nature of mobile threats.
