Find notable cyber news and cases, enriched with sources, timelines, and signals.

PromptSpy backdoor for Android with Gemini API automation

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The PromptSpy backdoor for Android was highlighted for using Gemini APIs to automate device interaction, increasing the risk of unauthorized control on infected phones. The malware also used a GeminiAutomationAgent module and a hardcoded prompt to interact with the device in an automated way. It could replay authentication on the device, including a lock pattern or PIN, which raises takeover risk.

Related Happenings

BTMOB Android RAT no-code builder malware activity

Malware Activity
H score28 First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

About this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...

Latest development: 29.05.2026 00:10

BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.

Google rolls out Android Intrusion Logging in Android Advanced Protection Mode

Security Tool/Service
H score10 First: 14.05.2026 16:30 Last: 14.05.2026 16:30 Sources 1

About this happening: Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...

Android 17 expands platform security and privacy protections

Security Tool/Service
H score15 First: 12.05.2026 20:00 Last: 12.05.2026 20:00 Sources 1

About this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...

BirdCall Android spyware variant

Malware Activity
H score4 First: 05.05.2026 12:04 Last: 05.05.2026 12:04 Sources 1

About this happening: The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...

NGate malware trojanized HandyPay NFC-stealing variant

Malware Activity
H score34 First: 21.04.2026 12:00 Last: 21.04.2026 12:00 Sources 1

About this happening: A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...

Timeline

  1. 11.05.2026 16:02 2 articles · 1mo ago

    PromptSpy Android backdoor automates device interaction through Gemini APIs

    Technical Analysis Update

    PromptSpy backdoor for Android was highlighted for integrating with Gemini APIs through a hardcoded module named GeminiAutomationAgent, using a hardcoded prompt to enable autonomous device interaction, calculate user interface bounds, and replay authentication with a lock pattern or PIN.

    Show sources