Until recently, Android threats were largely static — attackers built malicious code with preset instructions and behavior patterns. But now, researchers have uncovered something truly unprecedented: Android malware that uses a generative AI model (specifically Google’s Gemini) during execution to make decisions and adapt to the device environment.
This isn’t a distant future threat. It’s already happening.
Meet PromptSpy: The First Android Malware to Use Generative AI
Security researchers at ESET have identified a new Android malware family called PromptSpy — and it’s the first known Android malware to integrate generative AI directly into its execution flow.
Unlike normal malware, which runs fixed code, PromptSpy queries a large AI model during runtime as part of its malicious behavior. Instead of hardcoded steps, the malware sends screen data to Google’s Gemini model and uses the AI’s response to guide what it does next.
What PromptSpy Actually Does
While the AI component is just one part of the threat, the malware itself is dangerous:
- Deploys a VNC server, giving attackers remote control of the victim’s device.
- Captures lockscreen data and unlock patterns.
- Records screen activity and screenshots.
- Blocks uninstallation using transparent overlays that trick users into tapping the wrong buttons.
- Gathers device information.
- Communicates with its command-and-control server securely.
The malware requires Accessibility permissions — which, if granted, give it powerful control over the device UI.
Proof of Concept or Real Threat?
It’s not yet clear how widespread PromptSpy is:
ESET has not observed it in widespread telemetry yet, suggesting it may currently be a proof of concept or limited-use campaign.
Some samples were reportedly hosted on fake banking sites and distributed via dedicated domains impersonating financial institutions.
So, although PromptSpy isn’t currently a global pandemic, it demonstrates a new capability that threat actors are experimenting with.
What This Means for Android Users
The introduction of AI-powered malware changes the defender’s game:
For everyday users:
🟠 Be very cautious granting Accessibility access — it gives apps deep control.
🟠 Stick to the Google Play Store for apps; this malware isn’t distributed through Play.
🟠 Keep Google Play Protect enabled (it flags known malicious samples).
🟠 Avoid sideloading apps from unknown websites.
For developers and enterprises:
🟡 AI in malware puts a spotlight on behavioral detection, not just signature scanning.
🟡 Security solutions will need to spot runtime AI behaviors in execution flows.
🟡 AI abuse via legitimate cloud models? It’s now part of threat modeling.
🧠 A New Era of Mobile Threats
PromptSpy is not just malware — it’s a proof-point:
Android threats can now leverage real AI in execution workflows.
That means the future of security is not just about blocking code — it’s about understanding real-time, adaptive behaviors enabled by generative models like Gemini.
And if malware can talk to AI during execution, so too might defensive AI systems — meaning AI vs AI could become the next battleground in mobile security.
