AI-Powered Android Malware ‘PromptSpy’ Signals New Cyber Threat

A new Android malware strain dubbed PromptSpy is raising concerns among security researchers, marking the first known instance of malicious software leveraging generative AI in its operation. Discovered by ESET researchers on February 19, 2026, PromptSpy utilizes Google’s Gemini model to adapt to different devices and maintain persistence, effectively automating tasks that previously required manual coding for each target environment.

Unlike traditional malware that relies on pre-defined instructions, PromptSpy employs Gemini to interpret on-screen elements and dynamically generate step-by-step instructions for itself. This allows the malware to navigate user interfaces and perform actions, specifically to remain “locked” within the recent apps list, hindering easy removal by the user. The core function of PromptSpy, however, isn’t solely focused on this AI-driven persistence mechanism. It also deploys a Virtual Network Computing (VNC) module, granting attackers remote access to the compromised device, including the ability to view the screen and execute actions as if they were the user.

The malware’s capabilities extend beyond remote control. PromptSpy is designed to capture data from the lockscreen, block attempts to uninstall it, gather detailed device information, take screenshots, and even record screen activity as video. This comprehensive suite of features positions PromptSpy as a particularly potent threat, capable of extensive surveillance and data exfiltration.

ESET researchers note that this is the second AI-powered malware they have identified, following PromptLock in August 2025, which was the first known case of AI-driven ransomware. While PromptLock utilized AI for ransom demands and negotiation, PromptSpy represents a novel application of generative AI in achieving persistence and adapting to diverse Android environments.

The use of generative AI, while currently limited to the persistence module, significantly enhances the malware’s adaptability. Since Android interfaces vary across devices and operating system versions, the ability to dynamically interpret and respond to these differences provides PromptSpy with a considerable advantage over conventional malware. The AI model and the prompts it receives are pre-defined within the malware’s code and cannot be altered by the user.

Initial analysis suggests the campaign behind PromptSpy is financially motivated and primarily targets users in Argentina. Debug information within the malware’s code points to a Chinese-speaking development environment. Researchers speculate that the current iteration of PromptSpy may be a proof-of-concept or an early-stage test, as it has not yet been widely observed in ESET’s telemetry data.

The discovery of PromptSpy underscores the evolving threat landscape and the increasing sophistication of cyberattacks. Traditional malware detection methods may struggle to identify and neutralize such adaptive threats. Security experts emphasize the importance of proactive measures, such as verifying app sources and utilizing mobile security solutions that incorporate behavioral detection capabilities.

The cybersecurity industry now faces the challenge of developing multi-layered defense systems, potentially leveraging AI itself, to identify and respond to anomalous behavior in real-time. The race between attackers and defenders has entered a new, more dynamic phase, with artificial intelligence playing a central role. The ability to analyze on-screen elements and dynamically adjust its behavior based on AI-generated instructions represents a significant leap in malware sophistication, demanding a corresponding evolution in security strategies.

While the current implementation of generative AI within PromptSpy is focused on persistence, the potential for broader application is clear. Future malware could leverage similar techniques for a wider range of malicious activities, making the development of robust AI-powered defenses even more critical.