AI-Powered PromptSpy Android Malware Uses Gemini to Hijack Devices and Survive Reboots

Security researchers at ESET have uncovered what they describe as the first known Android malware to actively leverage generative AI during runtime. The malware, dubbed PromptSpy, uses Gemini to help it maintain persistence on infected devices.

PromptSpy deploys a VNC module once installed, giving attackers full remote visibility and control over a compromised Android device. Operators can view the victim’s screen in real time and interact with the device as if they were holding it. Beyond remote access, the malware is capable of harvesting device information, capturing lockscreen PINs or passwords, recording the screen to extract unlock patterns, and taking screenshots.

What sets PromptSpy apart is its novel persistence mechanism. During execution, the malware sends a prompt to Gemini along with an XML file containing detailed information about on-screen user interface elements, including their type, text content, and position. Gemini analyzes this data and responds with JSON-formatted instructions specifying where to tap or swipe on the screen.

Using Android’s Accessibility Services, PromptSpy performs the recommended gestures. This allows it to add itself to the list of recent apps, effectively locking itself into the system’s recent applications view. By doing so, it ensures it remains active even after the device is rebooted.

The malware also stores previous prompts and Gemini’s responses, enabling contextual understanding and coordinated multi-step interactions. This design allows the AI-assisted functionality to adapt dynamically during runtime.

To further resist removal, PromptSpy abuses Accessibility Services to block uninstallation attempts. When a user tries to uninstall the app or disable Accessibility permissions, the malware overlays invisible rectangles over critical buttons containing words such as “stop,” “end,” “clear,” or “uninstall.” These transparent overlays intercept user taps, making removal extremely difficult.

According to researchers, the only reliable way to remove the malware is to reboot the device into Safe Mode, where third-party applications are disabled and can be uninstalled without interference.

ESET noted that it has not observed PromptSpy infections in the wild and believes it may be a proof-of-concept, similar to the PromptLock ransomware the company detailed last year. However, researchers have identified a domain that appears designed to distribute the malware to users in Argentina.

Technical evidence suggests the malware was developed by Chinese programmers, though the attribution is made with medium confidence. ESET has not linked PromptSpy to any known threat actor.

The discovery highlights how generative AI tools can be misused by cybercriminals to automate complex user interface interactions, potentially marking a new evolution in mobile malware design.