PromptSpy Android malware with Gemini-assisted persistence and spyware capabilities
Malware Activity
Summary
Hide ▲
Show ▼
The PromptSpy Android malware family now stands out as the first known Android malware to use Google Gemini at runtime, letting it adapt app-pinning steps across devices and improve persistence. The malware also acts as spyware through a VNC module, giving operators remote screen viewing and control when Accessibility permissions are granted. It can capture PINs, passwords, screenshots, gestures, and foreground-app status, while invisible overlays make uninstall and permission revocation harder.
Related Happenings
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/Service
First: 13.05.2026 09:55
Last: 13.05.2026 09:55
Sources 1
About this happening:
**Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/ServiceAbout this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
PromptSpy backdoor for Android with Gemini API automation
Malware Activity
First: 11.05.2026 16:02
Last: 11.05.2026 16:02
Sources 1
About this happening:
The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...
PromptSpy backdoor for Android with Gemini API automation
Malware ActivityAbout this happening: The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware Activity
First: 11.05.2026 12:03
Last: 11.05.2026 12:03
Sources 1
About this happening:
The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware ActivityAbout this happening: The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
BirdCall Android spyware variant
Malware Activity
First: 05.05.2026 12:04
Last: 05.05.2026 12:04
Sources 1
About this happening:
The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...
BirdCall Android spyware variant
Malware ActivityAbout this happening: The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...
SilentGlass launch as a monitor-connection protection security device
Security Tool/Service
First: 22.04.2026 18:00
Last: 22.04.2026 18:00
Sources 1
About this happening:
The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...
SilentGlass launch as a monitor-connection protection security device
Security Tool/ServiceAbout this happening: The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...
Timeline
-
20.02.2026 00:36 1 articles · 3mo ago
First VNCSpy samples appear on VirusTotal
Detection Ioc UpdateThe first version of the Android malware family later named VNCSpy appears on VirusTotal as three samples uploaded from Hong Kong, establishing an early detection point for the malware cluster.
Show sources
- PromptSpy is the first known Android malware to use generative AI at runtime — www.bleepingcomputer.com — 20.02.2026 00:36
-
20.02.2026 00:36 1 articles · 3mo ago
More advanced VNCSpy samples surface
Campaign Scope UpdateFour samples of more advanced malware based on VNCSpy are uploaded to VirusTotal from Argentina, extending the known scope of the Android malware family and indicating a later variant.
Show sources
- PromptSpy is the first known Android malware to use generative AI at runtime — www.bleepingcomputer.com — 20.02.2026 00:36
-
20.02.2026 00:36 2 articles · 3mo ago
PromptSpy is disclosed with Gemini-assisted persistence
Initial DisclosurePromptSpy is disclosed as a previously unknown Android malware family that uses Google Gemini at runtime, sending a chat prompt and an XML dump of the current screen so the model can return JSON-formatted instructions that help pin the app for persistence through Android's Accessibility Service. The malware also includes a built-in VNC module for remote screen viewing and control, can capture PINs, passwords, screenshots, gestures, and foreground-app status, and uses invisible overlays to make uninstall and permission changes harder.
Show sources
- PromptSpy is the first known Android malware to use generative AI at runtime — www.bleepingcomputer.com — 20.02.2026 00:36
- PromptSpy is the first known Android malware to use generative AI at runtime — www.bleepingcomputer.com — 20.02.2026 00:36