Skip to main content

PromptSpy: The first Android malware using Gemini AI

February 21, 2026 · Gautier
3 mins
Cyber Security

This news just broke and it’s honestly pretty creepy. Researchers at ESET Research discovered a new virus called PromptSpy. Its trick? It’s the very first Android malware to use generative AI (specifically Google’s Gemini) to make sure it never gets deleted from your phone.

As explained in the Clubic article, traditional viruses often struggle to adapt to different phone interfaces (Samsung, Xiaomi, Google, etc.). PromptSpy bypasses this: it takes a screenshot of your screen and asks the AI: “Tell me what I should click on to stay active.”

How AI helps the virus stay “pinned”

According to the official report on WeLiveSecurity (ESET’s tech blog), the malware doesn’t just steal data. Its main goal is persistence. It uses Gemini to analyze the recent apps menu and find out how to “lock” its own window.

Once the AI provides the right coordinates, the malware pins itself. From there, even if you try to swipe away all your apps, the virus stays stuck. It’s quite vicious because the script isn’t fixed; it chats in real-time with the AI to adapt to your specific Android version.

A malware mimicking banking apps

PromptSpy doesn’t just appear out of thin air. It often hides inside fake apps. Researchers specifically spotted a version named MorganArg, which mimics the JPMorgan Chase bank app in Argentina.

Here are the capabilities ESET experts listed:

  • Remote control: Using a VNC module, hackers see your screen live.
  • Keylogging: It records everything you type (passwords, messages).
  • Blocking uninstallation: It creates invisible click zones over the “Delete” button to stop you from acting.

How to remove this malware and protect your Android

For now, according to The Hacker News, the malware seems to be a “proof of concept” or targeting specific regions, but the technique could spread fast. If you think you’re infected, the recommended fix is radical: restart your phone in Safe Mode.

In this mode, downloaded apps are disabled. You can then go to your settings and manually delete the malicious app. Also, make sure Google Play Protect is active on your phone. Even though hackers are clever, antivirus software is already starting to flag PromptSpy’s signature.

Anyway, be really careful with APKs you download outside the Play Store. It’s a major step in cybercrime: hackers are hijacking our daily tools to make their attacks more dynamic.

Sources and further information:

Transparency Note: This article was written with a little help from AI. Don’t worry, unlike PromptSpy, my AI stayed polite, didn’t try to lock my browser, and hasn’t asked for money (well, not yet). We worked together to break this down for you. Basically, a human-machine collab guaranteed malware-free!

Related Articles