Skip to content

PromptSpy

The first known Android malware to use generative AI at runtime. Discovered by ESET in February 2026, PromptSpy sends XML screen dumps to Google Gemini and receives JSON instructions for UI manipulation, allowing it to adapt to any device layout or OS version without hardcoded UI paths. Evolved from VNCSpy, which provided VNC remote access capabilities.

Overview

Property Value
First Seen January 2026 (VNCSpy); February 2026 (PromptSpy with Gemini AI)
Type RAT / Spyware
Attribution Unknown (Simplified Chinese debug strings suggest Chinese-speaking development)
Aliases Android/Spy.VNCSpy.A, Android/Spy.PromptSpy.A, Android/Phishing.Agent.M (ESET)

Distribution

Dedicated website (mgardownload[.]com). Dropper displays fake bank update prompts. Targets Argentine banking customers based on Spanish-language phishing content and domain naming ("MorganArg").

Capabilities

Capability Implementation
GenAI runtime Sends XML screen dumps to Google Gemini, receives JSON UI manipulation instructions
VNC remote access Full remote control via VNC module
Accessibility abuse Core mechanism for UI interaction
PIN/password interception Captures lockscreen credentials
Pattern recording Records video of pattern unlock gestures
Screen recording Records screen with gesture overlay tracking
Anti-uninstall Invisible overlays prevent removal
Persistence Uses Gemini AI to find and lock itself in recent-apps

AI Integration

PromptSpy's use of Gemini AI is its defining innovation. Traditional banking trojans hardcode UI element identifiers for targeted apps, requiring constant updates when apps change their layouts. PromptSpy instead:

  1. Captures the current screen state as XML accessibility tree
  2. Sends the XML dump to Google Gemini API
  3. Receives structured JSON instructions describing which UI elements to interact with
  4. Executes the instructions via Accessibility Service

This makes the malware inherently adaptive to any app version, device manufacturer UI, or Android version.

References