The First Android Malware That Thinks for Itself Just Used Google's AI to Do It

Source: Dev.to

Overview

A banking trojan is asking Gemini how to survive on your phone. Gemini is answering.

On February 19, ESET researchers disclosed a malware family they named PromptSpy. It is, by their assessment, the first Android threat to use generative AI at runtime — not as a development tool, not to write phishing emails, but as an active component of its own execution.

The malware sends a screenshot of the infected phone’s current state to Google’s Gemini API. Gemini analyzes the screen and returns JSON‑formatted instructions: what to tap, where to tap, and in what sequence. The purpose is persistence — PromptSpy uses Gemini’s responses to keep itself pinned in the recent‑apps list, preventing the user from swiping it away or the system from killing it.

How It Works

PromptSpy arrives disguised as a banking app called MorganArg — a knockoff of JPMorgan Chase’s branding, targeting users in Argentina. Once installed, it deploys a VNC module that gives attackers full remote access to the device. It captures lock‑screen data, records the screen as video, takes screenshots, blocks uninstallation, and harvests device information.

None of that is new; Android trojans with remote‑access capabilities have existed for years. What’s new is the persistence mechanism.

Traditional malware hard‑codes its survival techniques. If Android changes how the recent‑apps list works, the malware breaks. PromptSpy outsources that problem to Gemini. When the operating system updates, when the UI changes, or when Samsung or Xiaomi modifies recent‑apps behavior on their custom skin, the malware asks Gemini what the screen looks like now and how to navigate it. The AI adapts; the malware does not need to.

This is the difference between a lock pick and a locksmith. One breaks a specific lock. The other understands locks.

The Timeline

• January 13 – Two samples of the predecessor VNCSpy appeared on VirusTotal (uploaded from Hong Kong).
• February 10 – Four more advanced samples surfaced from Argentina. These were the PromptSpy variants, built on VNCSpy’s foundation but with Gemini integration added.

There were only 28 days between proof of concept and AI‑augmented evolution. ESET has not detected samples in its telemetry yet, which could mean the campaign is small—or that it is new enough to have evaded detection.

Why This Matters More Than It Looks

Security researchers have debated for two years whether AI would change malware. The consensus was that the current threat was AI‑generated phishing and social engineering, not AI‑integrated malware. PromptSpy breaks that consensus.

The technical barrier it crossed isn’t sophisticated: calling an API is trivial. Any developer can send a screenshot to Gemini and parse the JSON response. That accessibility makes the capability cheap enough for a financially motivated crew targeting Argentine bank customers to implement in under a month.

Gemini doesn’t know it’s being used by malware. It sees a screenshot and a question about UI navigation. There’s no policy violation in explaining how to tap a button. The request is indistinguishable from a legitimate accessibility query, so Google can’t filter it without breaking legitimate accessibility tools, developer testing, and customer‑support automation.

This is the weaponization everyone warned about, but not the kind anyone prepared for. It’s not an AI generating zero‑day exploits; it’s an AI doing customer‑service for malware—answering basic questions about how a phone works, with no way to know who’s asking or why.

The Adaptation Problem

The real threat isn’t PromptSpy itself; it’s the architecture. Malware that delegates decision‑making to an AI doesn’t need to be updated when the target environment changes. It doesn’t need a command‑and‑control server to push new instructions; it generates its own instructions from the environment it’s in.

• Every Android update that changes the UI now requires zero malware updates to maintain persistence.
• Every manufacturer‑specific skin is navigated automatically.
• Every accessibility framework designed to help disabled users becomes a surface the malware can query.

Gemini isn’t the only model with vision capabilities. Claude, GPT‑4o, and other models accept images and return structured responses. If Google manages to block PromptSpy’s API calls, the next variant could route through a different model. The technique is model‑agnostic.

The Cost of Free Intelligence

Google offers Gemini API access on a free tier. ESET didn’t disclose whether PromptSpy uses the free tier or stolen API keys, but the economics are clear: the marginal cost of making malware adaptive is approaching zero—a few hundred API calls per infected device per day translates to pennies.

For two decades, malware economics favored volume over sophistication (“spray and pray”). PromptSpy suggests a new equilibrium: adaptive malware cheap enough to deploy at scale and smart enough to survive without human maintenance.

ESET classified the current samples as potential proof‑of‑concept. That assessment should worry you—it means someone built this to see if it works. It works.