PromptSpy: First Android Malware Uses Gemini AI for Persistence

Home » News
Yash Shield
News
Reading time icon 4 min. read

Calendar icon Published on

PromptSpy marks the first known Android malware family that integrates Google’s Gemini AI model into its core execution. ESET researcher Lukas Stefanko discovered the threat in February 2026. The malware evolved from VNCSpy samples uploaded January 13, 2026 from Hong Kong.

Advanced variants appeared February 10, 2026 from Argentina with live Gemini integration. Attackers disguise PromptSpy as MorganArg, a fake Chase Bank app for “Morgan Argentina.” Distribution occurred via now-defunct mgardownload.com domain.

BEST WINTER DEALS
Editor's Choice
Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.
Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

ESET analysis confirms Chinese development origins through debug strings and localized Accessibility handlers. No live infections detected yet. Dedicated phishing infrastructure indicates real deployment plans.

AI-Driven Persistence Mechanism

Traditional Android malware uses fixed screen coordinates that fail across device models. PromptSpy sends live UI XML dumps to Gemini alongside natural language prompts. The AI returns precise JSON tap/swipe coordinates for any Android version or screen size.

Continuous feedback loop:

  1. Malware captures current UI XML
  2. Submits to Gemini with context prompt
  3. AI responds: {"tap": [x:123, y:456], "action": "recent_apps"}
  4. Executes gesture, re-queries UI
  5. Loop ends when app locks confirmed

Gemini pins MorganArg app with padlock icon in recent apps view. Users cannot swipe away or force-close the malware.

VNC Remote Access Capabilities

Primary payload deploys AES-encrypted VNC module for full device control. Requires Accessibility Services permission abuse.

Capabilities post-Accessibility grant:

  • Lockscreen PIN/pattern video capture
  • On-demand screenshots
  • Installed app inventory
  • Screen recording of target apps
  • Foreground app reporting

C2 communication uses VNC protocol over hardcoded servers. Operators gain complete remote visibility and control.

Anti-Removal Techniques

Accessibility Services overlays invisible rectangles over uninstall/stop/clear buttons. Victims tap normally but malware intercepts silently.

Only effective removal:

textBoot Safe Mode → Settings → Apps → MorganArg → Uninstall

Regular mode reboot cycles fail due to persistent overlays.

Screenshot

Evolution Timeline

DateLocationMilestoneSamples
Jan 13, 2026Hong KongVNCSpy precursors3
Feb 10, 2026ArgentinaGemini AI integration4
Feb 2026ESETPromptSpy family named8 total

Sample hashes (Android/Spy.PromptSpy.A):

textE60D12017D2DA579DF87368F5596A0244621AE86  (mgappc-1.apk)
9B1723284E311794987997CB7E8814EB6014713F  (mgappm-1.apk)
076801BD9C6EB78FC0331A4C7A22C73199CC3824  (mgappn-0.apk)
8364730E9BB2CF3A4B016DE1B34F38341C0EE2FA  (mgappn-1.apk)
F8F4C5BC498BCCE907DC975DD88BE8D594629909  (app-release.apk)

Infrastructure Indicators

IP/DomainProviderRoleFirst Seen
52.222.205.45AmazonPhishing site2026-01-12
54.67.2.84AmazonC2 serverUnknown
104.21.91.170CloudflareDistribution2026-01-13
mgardownload.comCloudflareAPK host2026-01-13

Threat Impact Assessment

Universal compatibility: Works across all Android devices/OS via AI adaptation
Stealth persistence: Locks app beyond user control
Remote takeover: Full VNC access post-Accessibility
Anti-removal: Intercepts uninstall attempts

Google Play Protect blocks known samples. ESET shared IOCs via App Defense Alliance.

Detection Challenges

Behavioral signatures:

textAccessibility + Gemini API calls
Recent apps padlock on banking app
VNC traffic from MorganArg
Safe Mode required for uninstall

Network patterns:

textAES-encrypted VNC to 54.67.2.84
mgardownload.com APK downloads

User Protection Measures

Immediate checks:

  • Settings → Apps → MorganArg → Uninstall (Safe Mode)
  • Accessibility Services → Revoke MorganArg permissions
  • Recent apps → Verify no padlocked banking apps

Prevention:

textAvoid Chase-themed APKs outside Play Store
Block domains: mgardownload.com, m-mgarg.com
Review Accessibility Services permissions monthly
Enable Google Play Protect

Industry Implications

First AI-integrated Android malware signals new evasion frontier. Hardcoded prompts limit flexibility but enable universal device targeting. VNC persistence survives factory resets without root.

ESET timeline: VNCSpy precursors → Gemini adaptation → MorganArg phishing → Full PromptSpy family.

FAQ

What makes PromptSpy unique?

First Android malware using Gemini AI for device-agnostic UI automation. 

How does AI persistence work?

Sends UI XML to Gemini, receives JSON tap coordinates, locks app in recent view.

App disguise used?

MorganArg fake Chase Bank app via mgardownload.com.

Removal requires Safe Mode?

Yes. Accessibility overlays block normal uninstall attempts.

Origin indicators?

Simplified Chinese debug strings, Hong Kong/Argentina uploads.

VNC capabilities?

PIN capture, screenshots, app inventory, screen recording.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages