Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PromptSpy Android malware uses Gemini for runtime persistence

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The PromptSpy Android malware now stands out for using Gemini at runtime to guide UI actions, making infected devices easier to steer and harder to remove. It pairs that workflow with a VNC module so operators can view screens and take control. The malware can capture PINs, record the display, and block uninstallation with invisible overlays. Researchers have not seen live infections, but they observed a delivery domain aimed at users in Argentina.

Related Happenings

PromptSpy backdoor for Android with Gemini API automation

Malware Activity
First: 11.05.2026 16:02 Last: 11.05.2026 16:02 Sources 1

About this happening: The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...

Open Happening

SilentGlass launch as a monitor-connection protection security device

Security Tool/Service
First: 22.04.2026 18:00 Last: 22.04.2026 18:00 Sources 1

About this happening: The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...

Open Happening

NoVoice Android malware hidden in Google Play apps

Malware Activity
First: 01.04.2026 21:07 Last: 01.04.2026 21:07 Sources 1

About this happening: **NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...

Open Happening

Perseus Android malware family actively distributed in the wild

Malware Activity
First: 19.03.2026 14:43 Last: 19.03.2026 14:43 Sources 1

About this happening: The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...

Open Happening

Perseus Android note-stealing and remote-control malware activity

Malware Activity
First: 19.03.2026 12:13 Last: 19.03.2026 12:13 Sources 1

About this happening: The **Perseus** Android malware is now being used to inspect user notes for secrets, creating theft risk for **passwords**, **recovery phrases**, and **financial data**. It is als...

Open Happening

Timeline

  1. 20.02.2026 09:06 2 articles · 3mo ago

    ESET analyzes PromptSpy Android malware using Gemini at runtime

    Technical Analysis Update

    ESET analyzed PromptSpy, an Android malware family it describes as the first to leverage generative AI during execution. The malware uses a VNC module for full device control, sends XML-formatted UI data to Google’s Gemini chatbot for JSON tap-and-swipe guidance, and abuses Android’s Accessibility Services to carry out the returned gestures. PromptSpy persists by locking itself into the recent apps list, blocks removal with transparent overlays that can hide buttons such as stop, end, clear, and Uninstall, and can collect device information, capture the lockscreen PIN or password, record the screen to recover the unlock pattern, and take screenshots. ESET said it has not seen infections in the wild, noted a delivery domain that appears aimed at users in Argentina, and assessed with medium confidence that PromptSpy was created by Chinese developers without linking it to any threat actor.

    Show sources
    Open in new tab