Find notable cyber news and cases, enriched with sources, timelines, and signals.

PromptSpy Android malware with Gemini-assisted persistence and spyware capabilities

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The PromptSpy Android malware family now stands out as the first known Android malware to use Google Gemini at runtime, letting it adapt app-pinning steps across devices and improve persistence. The malware also acts as spyware through a VNC module, giving operators remote screen viewing and control when Accessibility permissions are granted. It can capture PINs, passwords, screenshots, gestures, and foreground-app status, while invisible overlays make uninstall and permission revocation harder.

Related Happenings

BTMOB Android RAT no-code builder malware activity

Malware Activity
H score28 First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

About this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...

Latest development: 29.05.2026 00:10

BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.

Android Intrusion Logging forensic logging rollout for spyware investigations

Security Tool/Service
H score11 First: 13.05.2026 09:55 Last: 13.05.2026 09:55 Sources 1

About this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...

PromptSpy backdoor for Android with Gemini API automation

Malware Activity
H score22 First: 11.05.2026 16:02 Last: 11.05.2026 16:02 Sources 1

About this happening: The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...

TrickMo Android banking malware adds TON-based covert command-and-control

Malware Activity
H score29 First: 11.05.2026 12:03 Last: 11.05.2026 12:03 Sources 1

About this happening: The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...

BirdCall Android spyware variant

Malware Activity
H score4 First: 05.05.2026 12:04 Last: 05.05.2026 12:04 Sources 1

About this happening: The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...

Timeline

  1. 20.02.2026 00:36 2 articles · 4mo ago

    PromptSpy is disclosed with Gemini-assisted persistence

    Initial Disclosure

    PromptSpy is disclosed as a previously unknown Android malware family that uses Google Gemini at runtime, sending a chat prompt and an XML dump of the current screen so the model can return JSON-formatted instructions that help pin the app for persistence through Android's Accessibility Service. The malware also includes a built-in VNC module for remote screen viewing and control, can capture PINs, passwords, screenshots, gestures, and foreground-app status, and uses invisible overlays to make uninstall and permission changes harder.

    Show sources