Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PromptSpy Android malware with Gemini-assisted persistence

Malware Activity
First reported
Last updated
Happening score
H score 16
2 unique sources, 2 articles

Summary

Hide ▲

The PromptSpy Android malware now uses Gemini inside its execution flow to automate UI navigation and improve persistence, making the payload harder to dismiss or kill. It also combines VNC remote access with accessibility-service abuse to capture lockscreen PINs, screenshots, and live screen activity. The malware is delivered through a dedicated website rather than Google Play, with distribution links pointing to mgardownload[.]com and m-mgarg[.]com. The activity appears financially motivated and is associated with targeting users in Argentina.

Related Happenings

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

About this happening: The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...

Open Happening

BTMOB Android RAT no-code builder malware activity

Malware Activity
First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

About this happening: The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....

Open Happening

Trapdoor Android malvertising and ad-fraud campaign

Campaign
First: 19.05.2026 19:38 Last: 19.05.2026 19:38 Sources 1

About this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...

Open Happening

Android Intrusion Logging forensic logging rollout for spyware investigations

Security Tool/Service
First: 13.05.2026 09:55 Last: 13.05.2026 09:55 Sources 1

About this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...

Open Happening

Apple and Google Messages beta rollout of cross-platform E2EE RCS

Security Tool/Service
First: 12.05.2026 16:00 Last: 12.05.2026 16:00 Sources 1

About this happening: Apple and Google have begun a **beta rollout** of **end-to-end encrypted RCS** between **iPhone** and **Android** devices, materially reducing carrier and in-transit visibility fo...

Open Happening

Timeline

  1. 19.02.2026 19:52 3 articles · 3mo ago

    PromptSpy disclosure and Gemini-assisted persistence

    Initial Disclosure

    ESET discloses PromptSpy, an Android malware family that abuses Gemini to analyze the current screen and receive JSON step-by-step instructions for keeping the malicious app pinned in the recent apps list, while also using accessibility services, invisible overlays, and a built-in VNC module to resist removal, capture lockscreen data, take screenshots, record screen activity, and provide remote access. The campaign is assessed as financially motivated, targets users in Argentina, and is distributed through mgardownload[.]com and m-mgarg[.]com rather than Google Play, with a dropper that requests installation from unknown sources.

    Show sources
    Open in new tab