Practical guides to protect yourself, your family, and your business from AI-driven scams, deepfakes, and emerging cyber threats.
PROMPTSPY is an Android backdoor with an unusual design problem. To do its job it has to tap the right buttons on a victim's screen, but it cannot reliably predict what that screen will look like across thousands of phones, languages, and app versions. Its answer is the part worth your attention. Partway through an attack it captures the layout of whatever is on screen, sends it to Google's Gemini, and asks the model where to tap next.
Researchers describe it as the first Android malware to use a generative AI model inside its own execution, not to write its code in advance but to make decisions live, on the device, while the attack is running. That single shift is what makes PROMPTSPY worth understanding even if it never reaches a phone you own. It is an early, working example of malware that thinks at runtime by renting someone else's intelligence.
ESET Research first documented PROMPTSPY and published its analysis in February 2026. It was the company's second piece of AI-powered malware in under a year, after PromptLock in August 2025, which ESET called the first known AI-driven ransomware. In its May 2026 AI Threat Tracker, Google's Threat Intelligence Group (GTIG, the company's threat research arm) examined the same backdoor and reported capabilities beyond the original write-up.
The mechanism is simpler than it sounds. PROMPTSPY abuses the Android Accessibility API (the system feature meant to help people with disabilities operate a phone, which can read what is on screen and tap on a user's behalf). A module the authors named GeminiAutomationAgent takes the phone's current layout, packs it into a structured text format, and sends it to the Gemini API along with a goal and a fixed prompt. That prompt hands the model a harmless-sounding persona to slip past its safety filters, then asks it to work out the exact coordinates of the buttons. Gemini answers with structured instructions, a list of actions and screen positions, and the malware replays them as real taps and swipes. The attacker never hardcodes the steps. The model reads the screen and improvises them.
Start with what PROMPTSPY can already do once it lands. It can see everything on the screen through its remote-control component, harvest the credentials and one-time codes that pass across it, and steal the gestures that unlock the device, all while making itself close to impossible to remove by hand. There is no public tally of victims or losses, and Google says it found no infected apps on the Play Store and that Play Protect blocks the known versions. The reason to care is not a body count. It is the design. For your organization, the device this targets is the one your security team watches least. A personal phone carrying a work mailbox, an authenticator app, and a VPN profile is a full set of keys, and the screen-reading approach means the malware adapts to whatever banking or login app it meets rather than breaking when an interface changes. The shift to raise in a planning meeting is the deeper one. Conventional malware ships with its logic baked into the file, which is exactly what signature-based defenses are built to catch. PROMPTSPY keeps its decision-making outside the binary, generating its next move from a cloud model on demand, and it routes that traffic through a legitimate Google service so the calls blend into ordinary network noise. If your defenses assume a program carries its full plan inside it, this is the category that breaks the assumption.
PROMPTSPY is still early and limited, and the immediate risk to any single phone is low. Treat it as a preview, not an emergency. The lesson that outlasts this particular backdoor is that attackers have found a way to give cheap malware expensive judgment, on demand, by pointing it at the same AI models everyone else uses. Defenses that hunt for a fixed set of malicious instructions will see less and less, because the instructions are written fresh each time the program runs. Bring one question to your next security review. If a piece of malware on a corporate phone decided its next move by asking a cloud AI in real time, would anything you currently monitor notice the conversation?


