For years, Android fans have rolled their eyes when someone says the platform is insecure. Stick to Google Play, avoid sketchy APKs, keep Play Protect enabled, and you are probably fine. That has been the general vibe.
Well, that comfort blanket just got a little thinner.
Security researchers at ESET say they have discovered what appears to be the first Android malware strain to directly abuse generative AI as part of how it operates. The family, called PromptSpy, does not just use traditional scripts and hardcoded taps to poke around your phone. It actually prompts Google’s Gemini to help it figure out what to do next.
Yes, really.
According to ESET, PromptSpy feeds Gemini a dump of the current screen in XML form. That includes visible text, UI elements, and their coordinates. Gemini then responds with structured instructions telling the malware where to tap, long press, or swipe. The goal is simple but clever – keep the malicious app pinned in the recent apps list so it cannot be easily swiped away or killed.
Normally, Android malware relies on fixed screen coordinates or specific UI labels. The problem for attackers is that Android is fragmented. Different manufacturers tweak the interface. Buttons move. Layouts change. A script that works on one phone might fail on another.
PromptSpy sidesteps that headache by letting AI interpret the interface in real time. Instead of guessing, it asks.
The malware sends a natural language prompt to Gemini along with the current screen state. Gemini replies in JSON with step-by-step interaction instructions. PromptSpy executes those actions using abused Accessibility Services, then sends back the updated screen. This loop continues until the AI confirms the app has been successfully locked in the recent apps list.
It is not some massive AI brain controlling every part of the attack. ESET says generative AI is used only for the persistence feature. But that feature alone makes the malware far more adaptable than the old-school tap-here, swipe-there approach.
And persistence is just the appetizer.
The main function of PromptSpy is remote control. It bundles a built-in VNC module, giving operators full access to the victim’s screen once Accessibility permissions are granted. Attackers can see everything happening in real time and perform gestures as if they are holding the phone themselves.
Communication with its command-and-control server happens over the VNC protocol, with AES-encryption layered on top. Through this channel, the malware can upload a list of installed apps, intercept lockscreen PINs and passwords, record pattern-unlock attempts as video, take screenshots, report the current foreground app, and capture screen activity for apps chosen by the attacker.
In plain English, this thing can spy on just about everything.
Distribution appears to be outside of Google Play. ESET says PromptSpy was spread via a dedicated website that has since gone offline. One stage of the malware impersonated a bank and used Spanish-language elements, pointing to a likely focus on users in Argentina. At the same time, debug strings embedded in the code were written in simplified Chinese, suggesting development in a Chinese-speaking environment.
There is also a multi-stage infection chain. A dropper app urges the victim to install what looks like an update. That update is actually the PromptSpy payload. Once launched, it requests Accessibility permissions, shows a basic loading screen, and in the background begins asking Gemini how to lock itself in the recent apps list.
It even tries to prevent removal. When a user attempts to uninstall the app or disable Accessibility Services, the malware overlays invisible rectangles over critical buttons such as stop, clear, or uninstall. The buttons look tappable, but your taps never reach them. The only reliable way to remove it is to reboot into Safe Mode, where third-party apps are disabled and can be uninstalled normally.
Google was notified of the findings, and Android devices with Google Play Services have Play Protect enabled by default. That is good news. But the bigger takeaway is harder to ignore.
We are now at the point where Android malware is outsourcing parts of its decision-making to AI models. Instead of brittle scripts, attackers can rely on a generative model to interpret whatever screen it sees and respond dynamically. Today it is just locking an app into recent apps. Tomorrow it could be navigating banking apps, privacy settings, or security prompts in ways that adapt on the fly.
Android is not suddenly doomed. But the old narrative that AI is mostly a defensive tool just took a hit. PromptSpy shows that artificial intelligence is not just helping users and developers. It is helping attackers too.
If you are installing random APKs from unknown websites, you are playing with fire. And in 2026, that fire now comes with AI baked in.
