Security researchers have identified a novel Android threat that taps Google’s Gemini generative AI during execution to decide its next move on the fly. The malware, dubbed PromptSpy by ESET, represents the first documented case of an Android strain actively querying a large language model at runtime to adapt across different devices and interfaces.
Instead of relying on rigid, preprogrammed steps, PromptSpy reportedly captures what is visible on the screen and asks Gemini for guidance, allowing the malware to adjust to the quirks of various Android versions, OEM skins, and app layouts. The approach points to a shift toward AI-in-the-loop attacks that can evolve in real time, complicating detection and response.
What PromptSpy Actually Does On Infected Android Devices
ESET’s analysis indicates that PromptSpy functions primarily as spyware with remote access capabilities. Once installed and granted elevated permissions, it can inventory installed applications, surveil on-screen content, and pursue sensitive data such as lock screen credentials. It also includes mechanisms that hinder removal, a hallmark of persistent mobile threats.
The samples observed were delivered via a standalone distribution channel and masqueraded as a banking app, a common lure in mobile fraud. While ESET has not yet seen broad telemetry indicating widespread infections, the infrastructure and social engineering suggest more than a lab-only proof of concept.
Why Generative AI Changes The Game For Android Malware
Traditional Android malware often breaks when confronted with a screen it does not expect—an extra consent dialog, a relocated button, a new language setting. By asking a generative model to interpret the current screen and propose the next action, attackers can sidestep brittle assumptions and scale across device diversity.
This real-time adaptability undermines static signatures and scripted UI automation that defenders anticipate. It also introduces an element of decision-making that resembles a human operator: the malware can “read” labels, understand context, and sequence actions without hardcoding every variant. For incident responders and mobile EDR tools, that means fewer deterministic indicators and more behavior that morphs per target.
There are trade-offs. Routing instructions through an external AI service creates network artifacts, latency, and reliance on API availability or quotas. Those dependencies can be used for detection. But as on-device models become smaller and faster, the gap between feasibility and stealth is narrowing.
How AI Is Folded Into The Attack Flow On Android
Based on ESET’s description, PromptSpy harvests the view it sees—text, layout cues, or screenshots—and packages that context into a prompt for Gemini. The model responds with instructions such as which element to tap or which permission to request next, tailoring the sequence to the device in hand. In effect, the LLM serves as a just-in-time controller for the malware’s UI interactions.
This “LLM-in-the-loop” design is distinct from earlier uses of AI in crimeware, which focused on generating phishing lures or code snippets offline. Here, the model sits inside the execution path, directly shaping outcomes. For defenders who rely on replaying samples in sandboxes, the variability makes consistent reproduction and rule-writing harder.
Signals For Defenders And Platform Stewards
Google’s existing protections—Play Protect scanning, restrictions on Accessibility abuse, and policies against deceptive behavior—remain crucial, but this case tests their limits. Safety filters that prevent models from generating overtly malicious content do not fully address scenarios where the model is asked to describe a screen or suggest benign-sounding UI steps that further a malicious goal.
Enterprises can add compensating controls. Monitor for unusual outbound connections to AI inference services by apps that have no clear reason to use them. Flag apps requesting Accessibility or Device Admin privileges during onboarding, and enforce app allowlists via mobile device management. Behavioral baselining of UI automation across managed fleets can expose anomalies even when indicators of compromise are scarce.
For consumers, the basics matter more than ever. Install apps only from trusted sources, scrutinize prompts for Accessibility access, keep Play Protect enabled, and regularly review which apps hold powerful permissions. If removal is blocked, rebooting to safe mode to uninstall or using the device’s built-in reset and restore options can break persistence.
The Road Ahead For AI-Enabled Android Threats
PromptSpy is an early warning of what AI-empowered mobile malware can look like. Today it queries a cloud model for guidance; tomorrow similar tooling could run on-device, cutting network signals and shrinking response windows. The same techniques could fine-tune phishing overlays to a bank’s latest app version, translate scams on the spot, or dynamically pivot when permission requests are denied.
Defenders can meet AI with AI. Security teams are already experimenting with language models to sift telemetry, describe unfamiliar screens at scale, and auto-generate hunt queries aligned to frameworks such as MITRE ATT&CK for Mobile. As attackers iterate, rapid, model-assisted detection engineering and closer platform-level scrutiny of LLM usage will be essential.
ESET’s finding underscores a simple truth: the UI is now part of the battlefield, and models that understand it can be weaponized. Catching the next wave will require pairing strong platform controls with smarter behavioral analytics—and treating any app that wants to “see” and “decide” on your screen with heightened suspicion.
