Back to Intelligence

PromptSpy Malware Exploits Google Gemini AI to Hijack Android Devices

SA
Security Arsenal Team
February 23, 2026
5 min read

We have long speculated about how generative AI could be weaponized by cybercriminals, but the recent discovery of PromptSpy proves that future is already here. Security researchers at ESET have identified a novel Android malware that represents a significant milestone in threat evolution: it is the first known to actively abuse Google's generative AI chatbot, Gemini, as a core component of its execution flow.

For the Dallas business community and mobile workforce, this serves as a stark reminder that the attack surface is expanding beyond traditional apps and operating systems into the AI assistants we invite onto our devices.

The Threat: AI-Driven Persistence

PromptSpy is not just another data-stealer; it is a sophisticated piece of malware designed to entrench itself deeply within an Android device. By leveraging the capabilities of Google Gemini, the malware automates interactions with the Android "Recent Apps" screen to achieve persistence—a technique that makes it incredibly difficult for users to shake off the infection.

Once installed, PromptSpy requests a suite of dangerous permissions that allow it to:

  • Capture Lockscreen Data: Intercepting inputs before the device is fully unlocked.
  • Take Screenshots: Visually recording sensitive information displayed on the screen.
  • Block Uninstallation: Preventing the user from removing the malicious app through standard settings.
  • Gather Device Intelligence: Collecting hardware specs, installed apps, and network details.

Technical Analysis: Weaponizing Generative AI

The innovation in PromptSpy lies in its abuse of the Gemini AI overlay. Traditionally, malware uses Accessibility Services to simulate clicks and swipes. However, PromptSpy leverages the on-device AI to interpret visual cues and automate navigation within the "Recent Apps" menu.

This technique effectively bypasses certain user interaction heuristics. By using Gemini to interact with the UI layer, the malware can keep itself in the foreground or revive itself if closed, essentially using the AI as a "pilot" to navigate the Android OS autonomously.

Key TTPs (Tactics, Techniques, and Procedures)

  • Abuse of AI/LLM APIs: Utilizing the device's integrated Gemini assistant to execute command-and-control logic locally.
  • Accessibility Service Abuse: Leveraging the android.permission.BIND_ACCESSIBILITY_SERVICE to read screen content and perform inputs.
  • Screen Interception: Monitoring the MediaProjection API to capture lockscreen PINs and patterns via screenshots.

Detection and Threat Hunting

Detecting PromptSpy requires a shift in strategy. Security teams must not only look for known malicious hashes but also monitor for anomalous behavior related to AI assistant overlays and accessibility services.

Below are queries and scripts designed to help security teams identify indicators of compromise (IOCs) associated with PromptSpy or similar malware behaviors within your environment.

KQL Query for Microsoft Sentinel / Defender for Endpoint

This query searches for devices where applications have recently requested accessibility services or screen capture permissions, which are prerequisites for PromptSpy's functionality.

Script / Code
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ('android.process.acore', 'system_server') 
   or ActionType has "AccessibilityService"
| extend ParsedJSON = parse_(AdditionalFields)
| where ParsedJSON has "BIND_ACCESSIBILITY_SERVICE" or ParsedJSON has "SYSTEM_ALERT_WINDOW"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| distinct Timestamp, DeviceName, FileName, SHA256
| sort by Timestamp desc

Python Script for Log Analysis

This Python snippet can be used by analysts to parse exported Android logs (specifically dumpsys output) to identify apps with suspicious permission combinations.

Script / Code
import re
import sys

def analyze_accessibility_risks(log_file_path):
    """
    Parses Android dumpsys permission logs to find apps 
    with high-risk permission combinations.
    """
    suspicious_apps = []
    
    # Regex to find package names and requested permissions
    package_pattern = re.compile(r'Package \[(.*?)\]')
    permission_pattern = re.compile(r'android.permission.(\w+)')
    
    try:
        with open(log_file_path, 'r') as f:
            content = f.read()
            
        packages = package_pattern.findall(content)
        
        # Define high-risk permissions indicative of spyware
        high_risk_permissions = [
            'BIND_ACCESSIBILITY_SERVICE', 
            'SYSTEM_ALERT_WINDOW', 
            'READ_LOGS', 
            'CAPTURE_VIDEO_OUTPUT',
            'WRITE_SECURE_SETTINGS'
        ]
        
        print(f"[*] Analyzing {len(packages)} packages for risks...")
        
        # Simplified check: In a real scenario, parse the specific permission block for each package
        for package in packages:
            # This is a mock logic for demonstration; real parsing requires structured XML or text section handling
            if 'prompt' in package.lower() or 'spy' in package.lower():
                print(f"[!] Suspicious package name found: {package}")
                suspicious_apps.append(package)
                
        if suspicious_apps:
            print(f"\n[ALERT] Found {len(suspicious_apps)} potentially malicious packages.")
        else:
            print("\n[INFO] No obvious name-based indicators found. Manual review required.")
            
    except FileNotFoundError:
        print(f"Error: File {log_file_path} not found.")

if __name__ == "__main__":
    # Usage: python analyzer.py dumpsys_output.txt
    if len(sys.argv) < 2:
        print("Please provide a path to the log file.")
    else:
        analyze_accessibility_risks(sys.argv[1])

Mitigation Strategies

To protect your organization from PromptSpy and similar AI-abusing malware, we recommend the following actionable steps:

  1. Strict App Governance: Enforce a policy that forbids the installation of apps from third-party sources (sideloading). PromptSpy often propagates via social engineering or phishing links outside the Google Play Store.

  2. Review Accessibility Services: Regularly audit your device fleet. Navigate to Settings > Accessibility and review which apps have these privileges. Revoke access for any app that does not fundamentally require it to function (e.g., a calculator app should not be an accessibility service).

  3. Limit AI Assistant Permissions: Review the permissions granted to Google Gemini or other AI assistants. Ensure they cannot overlay screens or interact with other apps without explicit user confirmation.

  4. Deploy Mobile Threat Defense (MTD): Utilize an MTD solution (like Microsoft Defender for Endpoint or SentinelOne) that can detect the anomalous behavior of screen reading and unauthorized UI interaction in real-time.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsandroid-malwaregemini-aithreat-huntingpersistencemobile-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action