The First Android Malware That Asks Google's Gemini Which Button to Tap

A backdoor that asks Google's Gemini which button to tap

Most malware ships with its instructions baked in. PROMPTSPY does not. When this Android backdoor wants to act on an infected phone, it photographs the screen, sends the layout to Google's Gemini model in the cloud, and waits for the AI to tell it where to tap. ESET, the security firm that first reported it in February 2026, calls it the first Android malware to wire a generative AI model directly into how it runs.

On May 11, 2026, Google's own Threat Intelligence Group (GTIG, the team that investigates attacks against Google and its users) published a fresh teardown that goes further than the original find, and the picture it paints is the one worth sitting with. The brain of this malware no longer lives in the malware. It sits on a server you cannot see, and it improvises.

How the attack actually works

The agent module inside PROMPTSPY, named GeminiAutomationAgent, reads the phone's screen through Android's Accessibility API (the system feature that lets screen readers describe apps to blind users), turns the visible layout into a structured list, and sends it to the gemini-2.5-flash-lite model over an ordinary web request. A hardcoded prompt tells the model to adopt a harmless persona, which slips the request past Gemini's safety filters, then asks it to work out the exact coordinates of the buttons on screen. Gemini answers with a tidy set of moves: tap here, swipe there. The malware carries them out as if a finger were doing it.

The detail GTIG added is that the task itself is not fixed. The goal is fed in separately at run time, so the same backdoor can be aimed at almost any on-screen job. ESET first caught it using Gemini to keep itself pinned in the recent-apps list so a user could not swipe it away. GTIG found it does considerably more.

• It blocks its own removal. A module finds the on-screen Uninstall button, then lays an invisible overlay over it that swallows your taps, so the button simply stops responding.
• It can capture lock-screen PINs and pattern gestures, then replay them later to unlock the device on its own.
• Its real payload is a built-in VNC module (remote-desktop software) that hands the attacker live control of the phone, with screenshots and screen recording on top.

Why a phone you control can stop being yours

The concrete fact first. This is an early-stage tool, distributed only through a booby-trapped website a victim has to be talked into visiting, and it has not turned up in wide circulation. Google says it has disabled the accounts behind it, and that Play Protect already blocks known versions. So nothing is on fire today. What should hold your attention is the design, because the design is a template other people will copy. By moving its decision-making to a hosted AI, PROMPTSPY stops being a brittle script that breaks the moment an app's layout shifts, and becomes something that adapts to whatever is on the screen. For your organisation the soft spot is the personal Android in an employee's pocket, the one that also holds their work email and their authenticator app. If that device can be driven remotely, the attacker inherits every login it can reach. And because the malware talks to a legitimate Google AI endpoint, its most revealing traffic looks like a routine API call rather than an alarm. The shift worth carrying into your next mobile-security review is this: malware is starting to rent its intelligence from the same cloud models the rest of us use, which lowers the skill needed to build it and blurs the line between hostile and ordinary traffic.

What to do about it

1. Block app installs from outside official stores on any device that touches work data. PROMPTSPY can only land if a user sideloads it from a web page, so enforcing store-only installs through mobile device management (the software that sets security rules on company phones) closes its single delivery route.
2. Scrutinise apps that demand Accessibility permissions. This backdoor cannot read the screen or fake taps without that access, so treat any app requesting it as high-risk and review those grants on managed devices, because almost nothing outside genuine assistive tools needs it.
3. Keep the crown-jewel logins off the phone, or behind a hardware key. If a remote attacker can drive the device, on-device codes and approval prompts are within reach, so anchor your most sensitive accounts to a physical security key that the malware cannot tap its way through.

Bottom line

PROMPTSPY matters less for what it has done, which so far is little, than for what it proves is now buildable: malware that outsources its thinking to a commercial AI and improvises its way around your phone in real time. The defenders caught this one early. The blueprint is now public, and the next version will not announce itself. Put mobile install controls and Accessibility-permission hygiene on the agenda at your next security meeting, before an adaptive backdoor is the thing testing them.