PromptSpy Android malware with Gemini-assisted persistence and spyware capabilities
Malware Activity
Summary
Hide ▲
Show ▼
The PromptSpy Android malware family now stands out as the first known Android malware to use Google Gemini at runtime, letting it adapt app-pinning steps across devices and improve persistence. The malware also acts as spyware through a VNC module, giving operators remote screen viewing and control when Accessibility permissions are granted. It can capture PINs, passwords, screenshots, gestures, and foreground-app status, while invisible overlays make uninstall and permission revocation harder.
Related Happenings
BTMOB Android RAT no-code builder malware activity
Malware Activity
H score28
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
**BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
Latest development: 29.05.2026 00:10
BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/Service
H score11
First: 13.05.2026 09:55
Last: 13.05.2026 09:55
Sources 1
About this happening:
**Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/ServiceAbout this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
PromptSpy backdoor for Android with Gemini API automation
Malware Activity
H score22
First: 11.05.2026 16:02
Last: 11.05.2026 16:02
Sources 1
About this happening:
The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...
PromptSpy backdoor for Android with Gemini API automation
Malware ActivityAbout this happening: The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware Activity
H score29
First: 11.05.2026 12:03
Last: 11.05.2026 12:03
Sources 1
About this happening:
The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware ActivityAbout this happening: The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
BirdCall Android spyware variant
Malware Activity
H score4
First: 05.05.2026 12:04
Last: 05.05.2026 12:04
Sources 1
About this happening:
The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...
BirdCall Android spyware variant
Malware ActivityAbout this happening: The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...
Timeline
-
20.02.2026 00:36 1 articles · 4mo ago
First VNCSpy samples appear on VirusTotal
Detection Ioc UpdateThe first version of the Android malware family later named VNCSpy appears on VirusTotal as three samples uploaded from Hong Kong, establishing an early detection point for the malware cluster.
Show sources
- PromptSpy is the first known Android malware to use generative AI at runtime — www.bleepingcomputer.com — 20.02.2026 00:36
-
20.02.2026 00:36 1 articles · 4mo ago
More advanced VNCSpy samples surface
Campaign Scope UpdateFour samples of more advanced malware based on VNCSpy are uploaded to VirusTotal from Argentina, extending the known scope of the Android malware family and indicating a later variant.
Show sources
- PromptSpy is the first known Android malware to use generative AI at runtime — www.bleepingcomputer.com — 20.02.2026 00:36
-
20.02.2026 00:36 2 articles · 4mo ago
PromptSpy is disclosed with Gemini-assisted persistence
Initial DisclosurePromptSpy is disclosed as a previously unknown Android malware family that uses Google Gemini at runtime, sending a chat prompt and an XML dump of the current screen so the model can return JSON-formatted instructions that help pin the app for persistence through Android's Accessibility Service. The malware also includes a built-in VNC module for remote screen viewing and control, can capture PINs, passwords, screenshots, gestures, and foreground-app status, and uses invisible overlays to make uninstall and permission changes harder.
Show sources
- PromptSpy is the first known Android malware to use generative AI at runtime — www.bleepingcomputer.com — 20.02.2026 00:36
- PromptSpy is the first known Android malware to use generative AI at runtime — www.bleepingcomputer.com — 20.02.2026 00:36