Neural networks have learned to bypass any Android security shell on the fly.
ESET researchers have described the first known case of Android malware using generative AI not for harmless texts and images, but as a tool to control the phone's interface. This is the PromptSpy family of Android malware. In it, Google Gemini acts as a screen navigator: the model receives the current interface content and generates a sequence of actions, such as what to click and where to go.
Machine learning has been used in Android malware before, but for different purposes. For example, the Android.Phantom Trojan, using TensorFlow models, analyzed ad screenshots and automatically clicked on the elements it found to carry out large-scale ad fraud. PromptSpy is designed differently. It doesn't rely on fixed coordinates or attempt to find the desired button according to strict rules. Instead, the malware sends the model a description of what's currently on the screen and receives instructions on how to perform the desired action in that specific menu layout.
PromptSpy's generative AI isn't used everywhere, but rather in one specific area, which is responsible for persistence. The goal is simple: ensure that a malicious app remains pinned in the list of recent apps. This makes it impossible to simply swipe away, and makes it more difficult for the system to terminate the process. This is important for Android, as many malicious scenarios fail precisely when the user closes a suspicious window or the system unloads the app from memory.
The pinning mechanics work like this. Both the model itself and the request text are pre-programmed in the code; they cannot be changed on the fly. The malware uses the Android accessibility service to capture the current interface state and receives an XML dump of screen elements: text, types, descriptions, and coordinates. This XML is sent to Gemini, and the response comes back as JSON instructions: where to tap, where to hold, where to swipe, and how long to swipe. The malware then performs the action via the same accessibility service, captures the screen state again, and sends updated data to the model. The cycle continues until the model confirms that the app is indeed pinned to the recents list.
This approach offers flexibility because Android devices vary greatly. The gesture and menu used to pin an app to recents depend on the manufacturer, operating system, and version. Scripts with predefined coordinates are easily broken: the screen size changes, the menu is rearranged, or the button is moved. If the device model dictates the solution, the malware can adapt to different devices and different interfaces simply by receiving another screenshot and following instructions.
PromptSpy's primary goal, however, isn't AI-related. The malware deploys a built-in VNC module, enabling remote screen viewing and device control. This mode is used by administrators for support, but here it evolves into full-fledged remote access to the victim's phone. After the user enables accessibility features, the operator sees everything on the screen and can tap, scroll, type, and open apps as if they were holding the phone.
Communication with the command and control server occurs via the VNC protocol, and data is encrypted with AES. The server address in the samples is explicitly specified: 54.67.2[.]84. Through this channel, the malware can obtain the Gemini API access key, send a list of installed apps, intercept lock screen data (PIN or password), record video of pattern entry attempts, report whether the screen is on, and which app is currently open. It can also take screenshots on request and record the user's screen and gestures in apps specified by the operator.
The mechanism that prevents removal is described separately. PromptSpy uses accessibility features as protection against removal. When the user attempts to uninstall an app or disable accessibility features, the malware overlays transparent rectangles on the relevant areas of the screen. These transparent rectangles are invisible, but they intercept keystrokes, especially in areas where buttons with the words stop, end, clear, and uninstall are located. As a result, the user presses the button, but the action fails. In this form, normal removal becomes extremely difficult.
The study describes a practical way to bypass this block: reboot the device into safe mode, where third-party apps are blocked, and remove the malware from the settings. The exact method for enabling safe mode varies by manufacturer, but it typically involves holding down the power button, then long-pressing it to select power off and confirming the restart in safe mode. Finally, remove the app from the list of installed apps.
The history of PromptSpy is broken down by version and date. In February 2026, two versions of a previously unknown family were discovered. An earlier variant, dubbed VNCSpy, appeared on VirusTotal on January 13, 2026, with three samples uploaded from Hong Kong. On February 10, 2026, four more advanced samples uploaded from Argentina were discovered on VirusTotal. It was in this branch that a multi-stage scheme with a downloader and payload was discovered, where the payload uses Gemini to gain a foothold in the system. Therefore, the downloader was named PromptSpy dropper, and the main module it deployed was named PromptSpy.
The distribution method is also described quite clearly. The malware was not distributed through Google Play. A separate website, mgardownload[.]com, was used for distribution, but it was no longer operational at the time of analysis. After installation and launch, the downloader opened a web page on the domain m-mgarg[.]com, which was also disabled. Based on the cached version of the page, the researchers concluded that the site imitated a Chase bank page and was designed for a Spanish-speaking audience. This is also evident in the app's design: it was called MorganArg, and the icon was stylized as Chase. The name is similar to an abbreviation of Morgan Argentina, which is consistent with a targeted campaign.
Another sample was then found, displaying the same fake page with a Spanish interface and a "First Session" button. Judging by its behavior, this Trojan requested configuration from the server and prompted the victim to download another APK under the guise of an update. The server was unavailable at the time of analysis, so the exact link could not be recovered. However, there were similar characteristics that are difficult to attribute to chance: the same fake banking website, the same app name and icon, and the same developer signature certificate. Therefore, there is reason to believe that this Trojan could have been the first step in leading the user to install the PromptSpy downloader.
There's also a detail about the origin of the malware. The samples contained debug strings in simplified Chinese, as well as accessibility service event handlers with Chinese explanations. The debugging method was disabled, but it was left in the code. Based on these traces, the authors believe it likely that the malware was developed in a Chinese-language environment, although the localization and domain chain suggest the campaign was targeted at Argentina and financial gain.
However, ESET telemetry shows no evidence of PromptSpy actually being distributed. No samples were detected, so it's possible this was a demonstration prototype or a limited test. On the other hand, the presence of a distribution domain and associated phishing infrastructure suggests that the scheme may have been developed as a production campaign.
Google reported the discovery. It was specifically noted that known versions of PromptSpy are blocked by Google Play Protect , which is enabled by default on devices with Google Play Services. But the technique itself is more important than the specific family. The generative model here solves a single, narrow problem, but it's enough to bypass the weakness of many Android malware: their dependence on the specific menu layout on a specific phone. Instead of fragile scripts with pre-defined steps, attackers feed the model a description of the screen and receive instructions that work across different operating systems and different OS versions.
ESET researchers have described the first known case of Android malware using generative AI not for harmless texts and images, but as a tool to control the phone's interface. This is the PromptSpy family of Android malware. In it, Google Gemini acts as a screen navigator: the model receives the current interface content and generates a sequence of actions, such as what to click and where to go.
Machine learning has been used in Android malware before, but for different purposes. For example, the Android.Phantom Trojan, using TensorFlow models, analyzed ad screenshots and automatically clicked on the elements it found to carry out large-scale ad fraud. PromptSpy is designed differently. It doesn't rely on fixed coordinates or attempt to find the desired button according to strict rules. Instead, the malware sends the model a description of what's currently on the screen and receives instructions on how to perform the desired action in that specific menu layout.
PromptSpy's generative AI isn't used everywhere, but rather in one specific area, which is responsible for persistence. The goal is simple: ensure that a malicious app remains pinned in the list of recent apps. This makes it impossible to simply swipe away, and makes it more difficult for the system to terminate the process. This is important for Android, as many malicious scenarios fail precisely when the user closes a suspicious window or the system unloads the app from memory.
The pinning mechanics work like this. Both the model itself and the request text are pre-programmed in the code; they cannot be changed on the fly. The malware uses the Android accessibility service to capture the current interface state and receives an XML dump of screen elements: text, types, descriptions, and coordinates. This XML is sent to Gemini, and the response comes back as JSON instructions: where to tap, where to hold, where to swipe, and how long to swipe. The malware then performs the action via the same accessibility service, captures the screen state again, and sends updated data to the model. The cycle continues until the model confirms that the app is indeed pinned to the recents list.
This approach offers flexibility because Android devices vary greatly. The gesture and menu used to pin an app to recents depend on the manufacturer, operating system, and version. Scripts with predefined coordinates are easily broken: the screen size changes, the menu is rearranged, or the button is moved. If the device model dictates the solution, the malware can adapt to different devices and different interfaces simply by receiving another screenshot and following instructions.
PromptSpy's primary goal, however, isn't AI-related. The malware deploys a built-in VNC module, enabling remote screen viewing and device control. This mode is used by administrators for support, but here it evolves into full-fledged remote access to the victim's phone. After the user enables accessibility features, the operator sees everything on the screen and can tap, scroll, type, and open apps as if they were holding the phone.
Communication with the command and control server occurs via the VNC protocol, and data is encrypted with AES. The server address in the samples is explicitly specified: 54.67.2[.]84. Through this channel, the malware can obtain the Gemini API access key, send a list of installed apps, intercept lock screen data (PIN or password), record video of pattern entry attempts, report whether the screen is on, and which app is currently open. It can also take screenshots on request and record the user's screen and gestures in apps specified by the operator.
The mechanism that prevents removal is described separately. PromptSpy uses accessibility features as protection against removal. When the user attempts to uninstall an app or disable accessibility features, the malware overlays transparent rectangles on the relevant areas of the screen. These transparent rectangles are invisible, but they intercept keystrokes, especially in areas where buttons with the words stop, end, clear, and uninstall are located. As a result, the user presses the button, but the action fails. In this form, normal removal becomes extremely difficult.
The study describes a practical way to bypass this block: reboot the device into safe mode, where third-party apps are blocked, and remove the malware from the settings. The exact method for enabling safe mode varies by manufacturer, but it typically involves holding down the power button, then long-pressing it to select power off and confirming the restart in safe mode. Finally, remove the app from the list of installed apps.
The history of PromptSpy is broken down by version and date. In February 2026, two versions of a previously unknown family were discovered. An earlier variant, dubbed VNCSpy, appeared on VirusTotal on January 13, 2026, with three samples uploaded from Hong Kong. On February 10, 2026, four more advanced samples uploaded from Argentina were discovered on VirusTotal. It was in this branch that a multi-stage scheme with a downloader and payload was discovered, where the payload uses Gemini to gain a foothold in the system. Therefore, the downloader was named PromptSpy dropper, and the main module it deployed was named PromptSpy.
The distribution method is also described quite clearly. The malware was not distributed through Google Play. A separate website, mgardownload[.]com, was used for distribution, but it was no longer operational at the time of analysis. After installation and launch, the downloader opened a web page on the domain m-mgarg[.]com, which was also disabled. Based on the cached version of the page, the researchers concluded that the site imitated a Chase bank page and was designed for a Spanish-speaking audience. This is also evident in the app's design: it was called MorganArg, and the icon was stylized as Chase. The name is similar to an abbreviation of Morgan Argentina, which is consistent with a targeted campaign.
Another sample was then found, displaying the same fake page with a Spanish interface and a "First Session" button. Judging by its behavior, this Trojan requested configuration from the server and prompted the victim to download another APK under the guise of an update. The server was unavailable at the time of analysis, so the exact link could not be recovered. However, there were similar characteristics that are difficult to attribute to chance: the same fake banking website, the same app name and icon, and the same developer signature certificate. Therefore, there is reason to believe that this Trojan could have been the first step in leading the user to install the PromptSpy downloader.
There's also a detail about the origin of the malware. The samples contained debug strings in simplified Chinese, as well as accessibility service event handlers with Chinese explanations. The debugging method was disabled, but it was left in the code. Based on these traces, the authors believe it likely that the malware was developed in a Chinese-language environment, although the localization and domain chain suggest the campaign was targeted at Argentina and financial gain.
However, ESET telemetry shows no evidence of PromptSpy actually being distributed. No samples were detected, so it's possible this was a demonstration prototype or a limited test. On the other hand, the presence of a distribution domain and associated phishing infrastructure suggests that the scheme may have been developed as a production campaign.
Google reported the discovery. It was specifically noted that known versions of PromptSpy are blocked by Google Play Protect , which is enabled by default on devices with Google Play Services. But the technique itself is more important than the specific family. The generative model here solves a single, narrow problem, but it's enough to bypass the weakness of many Android malware: their dependence on the specific menu layout on a specific phone. Instead of fragile scripts with pre-defined steps, attackers feed the model a description of the screen and receive instructions that work across different operating systems and different OS versions.
