The boundary between malware and autonomous AI agent just disappeared. PROMPTSPY doesn't execute fixed instructions — it reads the screen, thinks, and acts. This is the first documented case of Android malware that uses generative AI to operate a device autonomously. At Tech86, we've been tracking this evolution closely, and one thing is certain: it won't be the last.
What PROMPTSPY is
Google GTIG and ESET documented PROMPTSPY, the first Android malware that integrates generative AI to interact with the device's interface. It's not a keylogger. It's not conventional spyware. It's an AI agent that sees the screen, calculates where to click, and executes actions as if it were you.
The fundamental difference is conceptual. Traditional malware follows a script: if it finds button X, click coordinate Y. If the layout changes — due to a system update, a different manufacturer, any reason — the script breaks. PROMPTSPY doesn't have this problem. It asks the AI how to proceed, and the AI responds based on what it sees on screen. It works on any Android. Any manufacturer. Any version.
The autonomous automation loop
PROMPTSPY operates as an autonomous agent loop. It captures the complete screen layout in real time — text, element type, exact position of every button. It serializes everything into XML and sends it to the Gemini API.
Gemini responds with JSON instructions: which gesture to execute, at which coordinate, with what duration. The malware executes via Accessibility Service. Captures the new screen state. Sends it back. The cycle repeats until the action is complete.
GTIG documented a module called GeminiAutomationAgent — a prompt that assigns Gemini the persona of an "Android automation assistant." The stated objective: calculate interface geometry for autonomous device interactions. The malware maintains a history of prompts and responses, allowing Gemini to understand context and coordinate multi-step interactions. This isn't automation. It's reasoning.
What it does to your phone
PROMPTSPY's capabilities go far beyond data capture. It operates the device. A built-in VNC gives the attacker complete remote access in real time — your phone becomes a puppet controlled from outside.
It captures PIN and unlock password. Records the unlock pattern on video. Takes screenshots on command. Lists installed apps. Monitors which app is in the foreground. The Gemini API key is obtained from the C2 server — it's not hardcoded in the malware. This means the attacker can rotate keys without redeploying. If one key is revoked, they simply use another.
The architecture is modular and resilient. The attacker controls the malware's behavior remotely by altering the prompts sent to Gemini. This isn't a fixed campaign — it's an adaptive platform.
The persistence that changes the game
PROMPTSPY's persistence mechanism is where generative AI makes the most brutal difference. The malware uses Gemini to pin the app in Android's recent apps list. On each manufacturer, the gesture is different: long press, swipe up, lock icon. Hardcoded logic doesn't work across all devices. Generative AI does.
Gemini analyzes the specific layout of your device and returns the exact coordinates for the required gesture. Samsung, Xiaomi, Motorola, Pixel — doesn't matter. PROMPTSPY adapts to all of them.
And if you try to uninstall? The malware renders invisible overlays on top of the "Uninstall" and "Force Stop" buttons. Your tap is intercepted by the overlay. Nothing happens. You tap, nothing changes. The only way out is to reboot into Safe Mode — something most users don't know how to do.
Why traditional defenses fail
Signature-based antivirus doesn't detect PROMPTSPY because it has no fixed signature. The behavior changes depending on the device, the prompt, the attacker's objective. EDRs that only monitor known indicators of compromise are equally blind — there's no stable IoC to hunt for.
The problem is structural. The security industry built defenses for malware that follows scripts. PROMPTSPY reasons. It self-corrects if the result isn't what was expected. It adapts the attack to the context. This is qualitatively different from any threat we've faced before.
At Tech86, we saw this evolution coming. We implemented anomalous behavior monitoring on endpoints and autonomous defense against AI-powered threats. Not because it's a trend — because the adversary of the future doesn't follow scripts. It reasons. And our defenses need to reason too.
What comes after PROMPTSPY
PROMPTSPY is the first documented case. It won't be the last. The architecture — capture screen, send to LLM, execute response — is replicable with any generative AI model. It doesn't depend on Gemini specifically. Any inference API works.
What concerns us at Tech86 isn't PROMPTSPY itself. It's what it represents: the democratization of adaptive malware. Until now, creating malware that worked across multiple devices required deep knowledge of each manufacturer. Now, a well-written prompt and an API key are enough.
Defense needs to evolve at the same pace. Real-time behavioral monitoring. AI-based anomaly detection. Autonomous incident response. It's not enough to know what the malware does — we need to understand what it's trying to do, even if the method has never been seen before.
If your company operates Android devices without behavioral protection, you're exposed. PROMPTSPY proved the threat isn't theoretical. It's operational. And it's adapting faster than traditional defenses.