Malware Is Now Using AI Against You
The first Android malware that uses generative AI at runtime just showed up. PromptSpy uses Google's Gemini to adapt to any phone it infects. Here's what that means and how to stay safe.
Something shifted this week. ESET researchers published their findings on PromptSpy — the first known Android malware that uses generative AI as part of how it actually runs. Not AI-generated phishing emails. Not AI-assisted code writing. This malware calls Google's Gemini model in real time to figure out how to navigate your phone.
I've been writing about AI security risks for a while now, but this one hit different. We've crossed a line from "attackers use AI to build malware" to "the malware itself uses AI to think."
What PromptSpy Actually Does
Here's the short version: PromptSpy is a remote access trojan for Android. It can capture your lockscreen PIN, take screenshots, record your screen, and give attackers full remote control of your device through VNC.
None of that is new. Android RATs have existed for years.
What's new is how it stays alive on your phone.
Traditional Android malware hardcodes specific screen coordinates and button locations. "Tap at position X,Y to dismiss the dialog." The problem for attackers is that Android is fragmented — different manufacturers, different screen sizes, different OS versions, different UI skins. A tap that works on a Samsung Galaxy S24 might miss the button entirely on a Pixel 9.
PromptSpy solves this by asking Gemini for help. It takes a screenshot of whatever's currently on screen, converts the UI elements to XML with their positions and labels, and sends all of that to Gemini with a prompt like "you are an Android automation assistant — tell me how to pin this app in the recent apps list so it can't be killed."
Gemini responds with JSON instructions: tap here, swipe there, long-press this. The malware executes those steps through Android's accessibility services, then checks the result and asks again if needed. It keeps going until it succeeds.
The result is malware that adapts to any Android device, any screen size, any UI layout, any OS version. It doesn't need hardcoded coordinates anymore. It just looks at the screen and figures it out.
Why This Matters Beyond This One Malware
PromptSpy itself targets users in Argentina and appears financially motivated. If you're reading this blog from Europe, you're probably not in its crosshairs today.
But that's not the point. The technique is what matters.
Think about what PromptSpy demonstrates: a piece of malware can call a public AI API, describe what it sees on screen, and get step-by-step instructions for navigating any UI. That capability is now proven and documented. Every malware author in the world just got a new tool in their playbook.
Here's what I expect to see next:
More adaptive persistence. PromptSpy uses AI just to stay pinned in the recent apps list. Future variants will use it for everything — navigating settings menus to grant themselves permissions, disabling security features, finding and exfiltrating specific data by reading what's on screen.
Cross-platform expansion. There's nothing Android-specific about this technique. Desktop malware could use the same approach to navigate Windows dialogs, dismiss security warnings, or interact with applications. Screenshot + AI analysis + automated clicks works everywhere.
Better social engineering. Imagine malware that reads your messaging apps through screenshots and uses AI to craft contextually appropriate responses to your contacts. Spreading itself by having actual conversations with your friends, in your language, matching your writing style.
The AI Provider Problem
Here's the uncomfortable question: should AI providers be doing more to prevent this?
PromptSpy uses a Gemini API key that it receives from its command-and-control server. Google has usage policies that prohibit using Gemini for malicious purposes. But in practice, the prompts PromptSpy sends look like legitimate automation requests — "help me navigate this Android UI" isn't obviously malicious.
This is the dual-use problem that the entire AI industry is struggling with. The same capabilities that power legitimate accessibility tools and UI testing frameworks also power malware. You can't easily distinguish "help a visually impaired user navigate their phone" from "help malware navigate a victim's phone" just by looking at the API calls.
I don't have a clean answer here. But I think AI providers need to invest more in abuse detection — looking at patterns of use rather than individual requests. An API key that only ever sends screenshots of lock screens and recent-apps menus should raise flags.
How to Protect Yourself
The good news is that PromptSpy's distribution is pretty basic. It was never on Google Play. It spreads through a dedicated website disguised as a financial app ("MorganArg"), and you have to manually allow installation from unknown sources.
So the basics still work:
Don't sideload apps
I know, I know. Some of you are thinking "but I need APKs for apps not available in my region" or "F-Droid is fine." And yes, F-Droid is generally trustworthy. But the number one way Android malware reaches devices is through sideloaded APKs from random websites. If you didn't get it from Google Play or a trusted repository like F-Droid, don't install it.
Actually read permission requests
PromptSpy needs accessibility services to function. Android will explicitly warn you when an app requests accessibility access and tell you it can "observe your actions" and "interact with apps on your behalf." If a banking app or utility tool asks for accessibility permissions, that's a massive red flag.
Keep Google Play Protect enabled
Play Protect scans apps on your device, including sideloaded ones. It's not perfect, but ESET confirmed that Play Protect detects PromptSpy. Don't disable it.
Check your accessibility settings regularly
Go to Settings → Accessibility and look at which apps have accessibility access. If you see anything you don't recognize, revoke it immediately. On most Android versions, you can get there by searching "accessibility" in your settings.
If you're already infected
PromptSpy uses invisible overlays to prevent uninstallation — you literally can't tap the uninstall button because there's an invisible layer on top of it. The fix is to reboot into Safe Mode (hold the power button, then long-press "Power off" until Safe Mode appears). In Safe Mode, third-party apps are disabled and you can uninstall normally.
The Bigger Picture
We're at the beginning of AI-powered malware. PromptSpy is crude in many ways — it uses a hardcoded C2 server, distributes through an obvious fake website, and its AI usage is limited to one specific persistence technique. Future versions won't be this sloppy.
What concerns me most is the adaptability angle. Security has always been an arms race, but traditionally, defenders could study malware behavior and write specific detection rules. When malware can dynamically change how it interacts with a device based on real-time AI analysis, those static detection rules become much less reliable.
The AI tools we're excited about — the ones that help us be more productive, creative, and capable — are the same ones that make malware more dangerous. That's not a reason to stop using AI. It's a reason to take the basics seriously: don't install sketchy apps, pay attention to permissions, and keep your security tools up to date.
The malware is getting smarter. Make sure you are too.