CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

PromptSpy Android Malware Uses Gemini AI for Persistence

First reported
Last updated
4 unique sources, 5 articles

Summary

Hide ▲

PromptSpy, an advanced Android malware, uses Google's Gemini AI to maintain persistence by pinning itself in the recent apps list. The malware captures lockscreen data, blocks uninstallation, gathers device information, takes screenshots, and records screen activity. It communicates with a hard-coded C2 server and is distributed via a dedicated website targeting users in Argentina. PromptSpy is the first known Android malware to use generative AI in its execution flow, sending screen data to Gemini to receive instructions for maintaining persistence. The malware is an advanced version of VNCSpy and is likely financially motivated. Researchers have discovered that PromptSpy was first found in February 2026, with initial samples uploaded to VirusTotal from Hong Kong and Argentina. ESET has not observed the malware in its telemetry, suggesting it may be a proof-of-concept. ESET attributed PromptSpy to Chinese developers with medium confidence, but has not linked it to any known threat actor. PromptSpy deploys a VNC module on compromised systems, enabling operators to view the victim’s screen and take full control of the Android device. The malware saves both its previous prompts and Gemini’s responses, allowing Gemini to understand context and coordinate multistep interactions.

Timeline

  1. 19.02.2026 19:52 5 articles · 1d ago

    PromptSpy Android Malware Abuses Gemini AI for Persistence

    PromptSpy, a new Android malware, uses Google's Gemini AI to maintain persistence by keeping itself pinned in the recent apps list. The malware captures lockscreen data, blocks uninstallation, gathers device information, takes screenshots, and records screen activity. It communicates with a hard-coded C2 server and is distributed via a dedicated website targeting users in Argentina. The malware is an advanced version of VNCSpy and is likely financially motivated. PromptSpy is the first known Android malware to use generative AI in its execution flow, sending screen data to Gemini to receive instructions for maintaining persistence. Researchers have discovered that PromptSpy was first found in February 2026, with initial samples uploaded to VirusTotal from Hong Kong and Argentina. ESET has not observed the malware in its telemetry, suggesting it may be a proof-of-concept. ESET attributed PromptSpy to Chinese developers with medium confidence, but has not linked it to any known threat actor. PromptSpy deploys a VNC module on compromised systems, enabling operators to view the victim’s screen and take full control of the Android device. The malware saves both its previous prompts and Gemini’s responses, allowing Gemini to understand context and coordinate multistep interactions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Android Malware Campaign Abuses Hugging Face Platform

A new Android malware campaign leverages the Hugging Face platform to distribute thousands of variants of an APK payload designed to steal credentials from popular financial and payment services. The attack begins with a dropper app called TrustBastion, which uses scareware-style ads to lure victims into installing it. The malware then redirects to a Hugging Face repository to download the final payload, using server-side polymorphism to evade detection. The malware exploits Android’s Accessibility Services to capture screenshots, monitor user activity, and steal credentials. The campaign was discovered by Bitdefender researchers, who found over 6,000 commits in the repository. The repository was taken down but resurfaced under a new name, 'Premium Club,' with the same malicious code. Bitdefender has published indicators of compromise and informed Hugging Face, which removed the malicious datasets. The infection chain begins when users download the malicious Android app TrustBastion, which appears as scareware via popups claiming the device is infected with malware. The dropper app prompts users to run an update that mimics legitimate Google Play and Android system update dialog boxes. The dropper contacts an encrypted endpoint hosted at trustbastion[.]com, which returns an HTML file containing a redirect link to the Hugging Face repository hosting the malware. The malware masquerades as a 'Phone Security' feature to guide users through enabling Accessibility Services. The malware requests permissions for screen recording, screen casting, and overlay display to monitor all user activity and capture screen content. The malware captures lockscreen information for security verification of financial and payment services.

Open in new tab

Malicious OpenClaw AI Coding Assistant Extension on VS Code Marketplace

A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" was discovered on the official Extension Marketplace. The extension, which posed as a free AI coding assistant, stealthily dropped a malicious payload on compromised hosts. The extension was taken down by Microsoft after being reported by cybersecurity researchers. The malicious extension executed a binary named "Code.exe" that deployed a legitimate remote desktop program, granting attackers persistent remote access to compromised hosts. The extension also incorporated multiple fallback mechanisms to ensure payload delivery, including retrieving a DLL from Dropbox and using hard-coded URLs to obtain the payloads. Additionally, security researchers found hundreds of unauthenticated Moltbot instances online, exposing sensitive data and credentials. Moltbot, an open-source personal AI assistant, can run 24/7 locally, maintaining a persistent memory and executing scheduled tasks. However, insecure deployments can lead to sensitive data leaks, corporate data exposure, credential theft, and command execution. Hundreds of Clawdbot Control admin interfaces are exposed online due to reverse proxy misconfiguration, allowing unauthenticated access and root-level system access. More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. Users are advised to audit their configurations, revoke connected service integrations, and implement network controls to mitigate potential risks. A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, with most exposures located in China, the US, and Singapore. A supply chain attack via the Cline npm package version 2.3.0 installed OpenClaw on users' systems, exploiting a prompt injection vulnerability in Cline's Claude Issue Triage workflow. The compromised Cline package was downloaded approximately 4,000 times over an eight-hour stretch. OpenClaw has broad permissions and full disk access, making it a high-value implant for attackers. Cline released version 2.4.0 to address the issue and revoked the compromised token. The attack affected all users who installed the Cline CLI package version 2.3.0 during an eight-hour window on February 17, 2026. The attack did not impact Cline's Visual Studio Code (VS Code) extension and JetBrains plugin. Cline maintainers released version 2.4.0 to mitigate the unauthorized publication and revoked the compromised token. Microsoft Threat Intelligence observed a small but noticeable uptick in OpenClaw installations on February 17, 2026, due to the supply chain compromise. Users are advised to update to the latest version, check their environment for any unexpected installation of OpenClaw, and remove it if not required.

Open in new tab

Android Malware Uses AI for Click Fraud

A new family of Android click-fraud trojans leverages TensorFlow machine learning models to detect and interact with advertisement elements. The malware operates in 'phantom' and 'signalling' modes, using hidden WebView browsers and WebRTC for real-time actions. Distributed via Xiaomi’s GetApps and third-party APK sites, the malware affects multiple games and modified apps, with over 165,000 downloads. The malware drains battery life and increases data usage, posing a financial impact on users.

Open in new tab

WebRAT Malware Distributed via Fake GitHub Exploits

The WebRAT malware, previously spread through pirated software and game cheats, is now being distributed via GitHub repositories that claim to host proof-of-concept exploits for recently disclosed vulnerabilities. The malware, which can steal credentials, spy through webcams, and capture screenshots, is delivered through carefully crafted repositories mimicking exploits for vulnerabilities such as CVE-2025-59295, CVE-2025-10294, and CVE-2025-59230. The repositories contain AI-generated text and password-protected ZIP files with the malware dropper.

Open in new tab

SantaStealer Malware-as-a-Service Targets Browsers and Crypto Wallets

A new malware-as-a-service (MaaS) named SantaStealer is being advertised on Telegram and hacker forums. Developed by a Russian-speaking actor, it is a rebranded version of BluelineStealer. The malware steals data from browsers, cryptocurrency wallets, and other applications, operating in memory to avoid file-based detection. Despite claims of advanced evasion techniques, samples analyzed by Rapid7 reveal poor operational security and incomplete development. SantaStealer uses 14 data-collection modules to exfiltrate information via a hardcoded C2 endpoint. The malware is not yet fully operational, but its planned distribution methods include ClickFix attacks, phishing, pirated software, and malvertising.

Open in new tab