PromptSpy disguises itself as a legitimate banking application. Once installed, the malware requests the activation of Android's Accessibility Services, a permission that grants it extensive access to the device's interface.
Its objective: to deploy a VNC (Virtual Network Computing) module, a remote control protocol. Attackers can then view the screen in real time, input text, and navigate the device as if they were physically handling it. PromptSpy is also capable of capturing the lockscreen PIN, recording screen activity as video, and blocking any uninstallation attempt through invisible overlays.
What makes it truly unprecedented, however, is the way it orchestrates these actions. Traditional malware relies on rigid scripts that fail as soon as the interface varies from one device to another. PromptSpy takes a radically different approach: it leverages Google's Gemini generative AI to analyze the screen and determine what to do in real time. As ESET researcher Lukáš Štefanko points out, AI enables the malware to adapt to virtually any device, screen size, or interface layout.
The Gemini API key and prompts are hardcoded into the malware by the attacker. Once deployed on the device, PromptSpy operates fully autonomously, without any human intervention. It interacts with Gemini in the same way a user would interact with ChatGPT or any other AI assistant: it sends an XML file describing the complete state of the screen (displayed text, element type, exact position) along with a natural language instruction. Gemini analyzes the context and responds with precise instructions. The malware executes the action, sends back the updated screen state, and the AI provides the next step. This dialogue continues in a loop until the objective is achieved.
The attacker does not need to be behind a screen to control the actions, the malware operates on its own through AI. This conversational approach makes the malware extremely resilient: if a button changes position or a menu is organized differently from one device to another, the AI adapts instantly. It also significantly simplifies the attackers' work. There is no longer any need to code specific scenarios for each smartphone model or Android version, a single natural language instruction is sufficient.
The immediate goal of this loop is to lock the malicious application in Android's recent apps list, before deploying the VNC module.
PromptSpy is not an isolated case. It had already been demonstrated that generative AI tools such as ChatGPT could be manipulated to generate a malware, and in August 2025, ESET had identified PromptLock, the first ransomware leveraging generative AI. With PromptSpy, the trend is confirmed: cybercriminals are now integrating generative artificial intelligence directly into their offensive tools, making mobile threats more adaptive and harder to detect.
Google has stated that Play Protect automatically protects users against known versions of this malware. However, this protection remains reactive and limited, particularly in a professional context where organizations manage heterogeneous device fleets, face BYOD challenges, and deal with application installations from outside official app stores.
It is precisely to address these challenges and the limitations of native protections that a dedicated mobile protection solution is necessary.
Pradeo Mobile Threat Defense provides real-time protection for mobile devices, leveraging advanced behavioral analysis of applications, network, and system. Unlike approaches based solely on known signatures, the Pradeo solution detects suspicious behaviors and zero-day malwares.
In a context where threats like PromptSpy demonstrate that artificial intelligence can be turned against users, relying on a dedicated mobile protection solution is no longer optional, it is a necessity.