According to security researchers, a new Android malware strain appears to be woven directly into Google's Gemini AI chatbot, which seems to have a generative AI component. One of the most noteworthy aspects of this discovery is that it marks an unusual development in the evolution of mobile threat evolution, as a tool that was intended to assist users with problems has been repurposed to initiate malicious software through the user interface of a victim's device.

In real time, the malware analyzes on-screen activity and generates contextual instructions based on it, demonstrating that modern AI systems can serve as tactical enablers in cyber intrusions. As a result of the adaptive nature of malicious applications, traditional automated scripts rarely achieve such levels of adaptability. 

It has been concluded from further technical analysis that the malware, known as PromptSpy by ESET, combines a variety of established surveillance and control mechanisms with an innovative layer of artificial intelligence-assisted persistence. 

When the program is installed on an affected device, a built-in virtual network computing module allows operators to view and control the compromised device remotely. While abusing Android's accessibility framework, this application obstructs users from attempting to remove the application, effectively interfering with user actions intended to terminate or uninstall it. 

Additionally, malicious code can harvest lock-screen information, collect detailed device identifiers, take screenshots, and record extended screen activity as video while maintaining encrypted communications with its command-and-control system. 

According to investigators, the campaign is primarily motivated by financial interests and has targeted heavily on Argentinian users so far, although linguistic artifacts within the code base indicate that the development most likely took place in a Chinese-speaking environment. However, PromptSpy is characterized by its unique implementation of Gemini as an operational aid that makes it uniquely unique. 

A dynamic interpretation of the device interface is utilized by the malware, instead of relying on rigid automation scripts that simulate taps at predetermined coordinates, an approach that frequently fails across different versions or interface layouts of Android smartphones. It transmits a textual prompt along with an XML representation of the current screen layout to Gemini, thereby providing a structured map of the visible buttons, text labels, and interface elements to Gemini. 

Once the chatbot has returned structured JSON instructions which indicate where interaction should take place, PromptSpy executes those instructions and repeats the process until the malicious application has successfully been anchored in the recent-apps list. This reduces the likelihood that the process may be dismissed by routine user gestures or management of the system. 

ESET researchers noted that the malware was first observed in February 2026 and appears to have evolved from a previous strain known as VNCSpy. The operation is believed to selectively target regional victims while maintaining development infrastructure elsewhere by uploading samples from Hong Kong, before later variants surface in Argentina. 

It is not distributed via official platforms such as Google Play; instead, victims are directed to a standalone website impersonating Chase Bank's branding by using identifiers such as "MorganArg." In addition, the final malware payload appears to be delivered via a related phishing application, thought to be originated by the same threat actor. 

Even though the malicious software is not listed on the official Google Play store, analysts note that Google Play Protect can detect and block known versions of the threat after they are identified. This interaction loop involves the AI model interpreting the interface data and returning structured JSON responses that are utilized by the malware for operational guidance. 

The responses specify both the actions that should be performed-such as simulated taps-as well as the exact interface element on which they should occur. By following these instructions, the malicious application is able to interact with system interfaces without direct user input, by utilizing Android's accessibility framework. 

Repeating the process iteratively is necessary to secure the application's position within the recent apps list of the device, a state that greatly complicates efforts to initiate task management or routine gestures to terminate the process. 

Gemini assumes the responsibility of interpreting the interface of the malware, thereby avoiding the fragility associated with fixed automation scripts. This allows the persistence routine to operate reliably across a variety of screen sizes, interface configurations, and Android builds. Once persistence is achieved, the operation's main objective becomes evident: establishing sustained remote access to the compromised device. 

By deploying a virtual network computing component integrated with PromptSpy, attackers have access to a remote monitor and control of the victim's screen in real time via the VNC protocol, which connects to a hard-coded command-and-control endpoint and is controlled remotely by the attacker infrastructure. 

Using this channel, the malware is able to retrieve operational information, such as the API key necessary to access Gemini, request screenshots on demand, or initiate continuous screen recording sessions. As part of this surveillance capability, we can also intercept highly sensitive information, such as lock-screen credentials, such as passwords and PINs, and record pattern-based unlock gestures. 

The malware utilizes Android accessibility services to place invisible overlays across portions of the interface, which effectively prevents users from uninstalling or disabling the application. As a result of distribution analysis, it appears the campaign uses a multi-stage delivery infrastructure rather than an official application marketplace for delivery. 

Despite never appearing on Google Play, the malware has been distributed through a dedicated website that distributes a preliminary dropper application instead. As soon as the dropper is installed, a secondary page appears hosted on another domain which mimics JPMorgan Chase's visual identity and identifies itself as MorganArg. Morgan Argentina appears to be the reference to the dropper. 

In the interface, victims are instructed to provide permission for installing software from unknown sources. Thereafter, the dropper retrieves a configuration file from its server and quietly downloads it. According to the report, the file contains instructions and a download link for a second Android package delivered to the victim as if it were a routine application update based on Spanish-language prompts. 

Researchers later discovered that the configuration server was no longer accessible, which left the specific distribution path of the payload unresolved. Clues in the malware’s code base provide additional insight into the campaign’s origin and targeting strategy. Linguistic artifacts, including debug strings written in simplified Chinese, suggest that Chinese-speaking operators maintained the development environment. 

Furthermore, the cybersecurity infrastructure and phishing material used in the operation indicate an interest in Argentina, which further supports the assessment that the activity is not espionage-related but rather financially motivated. It is also noted that PromptSpy appears to be a result of the evolution of a previously discovered Android malware strain known as VNCSpy, the samples of which were first submitted from Hong Kong to VirusTotal only weeks before the new variant was identified.

In addition to highlighting an immediate shift in the technical design of mobile threats, the discovery also indicates a broader shift. It is possible for attackers to automate interactions that would otherwise require extensive manual scripting and constant maintenance as operating systems change by outsourcing interface interpretation to a generative artificial intelligence system. 

Using this approach, malware can respond dynamically to changes in interfaces, device models, and regional system configurations by changing its behavior accordingly. Additionally, PromptSpy's persistence technique complicates remediation, since invisible overlays can obstruct victims' ability to access the uninstall controls, thereby further complicating remediation. 

In many cases, the only reliable way to remove the application is to restart the computer in Safe Mode, which temporarily disables third-party applications, allowing them to be removed without interruption. As security researchers have noted, PromptSpy's technique indicates that Android malware development is heading in a potentially troubling direction. 

By feeding an image of the device interface to artificial intelligence and receiving precise interaction instructions in return, malicious software gains an unprecedented degree of adaptability and efficiency not seen in traditional mobile threats. 

It is likely that as generative models become more deeply ingrained into consumer platforms, the same interpretive capabilities designed to assist users may be increasingly repurposed by threat actors who wish to automate complicated device interactions and maintain long-term control over compromised systems. 

Security practitioners and everyday users alike should be reminded that defensive practices must evolve to meet the changing technological landscape. As a general rule, analysts recommend installing applications only from trusted marketplaces, carefully reviewing accessibility permission requests, and avoiding downloads that are initiated by unsolicited websites or update prompts. 

The use of Android security updates and Google Play Protect can also reduce exposure to known threats as long as the protections remain active. Research indicates that, as tools such as Gemini are increasingly being used in malicious workflows, it signals an inflection point in mobile security, which may lead to a shift in both the offensive and defensive sides of the threat landscape as artificial intelligence becomes more prevalent. 

It is likely that in order to combat the next phase of adaptive Android malware, the industry will have to strengthen detection models, improve behavioural monitoring, and tighten controls on high-risk permissions.