AI & TechFebruary 26, 2026

PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence

=PromptSpy malware abuses Google Gemini AI for advanced Android persistence—see verified attack mechanisms, IOCs, detection, and practical remediation steps.

TL;DR & Immediate Actions

PromptSpy is a newly discovered Android malware that allegedly leverages Google’s Gemini AI assistant to enhance persistence and evade detection (ThreatFabric Technical Report).
Security researchers at ThreatFabric published analysis detailing PromptSpy’s techniques; Google has not issued a public advisory as of June 2024 (ThreatFabric Blog, Android Security Updates).
Readers should: review Accessibility permission usage, check for unknown apps with Accessibility privileges, run Google Play Protect, update Android OS and security patches, and consult device vendor support if suspicious activity is detected.

What Is PromptSpy? Origin and Attack Summary

PromptSpy is an Android spyware family first described by ThreatFabric in June 2024 (ThreatFabric Blog). The malware uses social engineering, often masquerading as legitimate utility apps, to trick users into granting dangerous permissions—especially Accessibility Service and Device Administrator. These privileges enable PromptSpy to intercept user input, exfiltrate sensitive data, and maintain persistence even after attempted removal.

Uniquely, PromptSpy exploits Google’s Gemini AI capabilities via indirect API invocation. According to ThreatFabric’s analysis, PromptSpy abuses Gemini’s assistant-related intents (e.g., Assist API) to automate complex tasks, generate malicious prompts, and increase its stealth by adapting responses during user interaction. There is no evidence PromptSpy directly injects prompts into Gemini’s cloud LLM; instead, the malware leverages Android’s on-device assistant integration to trigger context-aware actions (ThreatFabric Technical Report). No Google CVE has yet been assigned, and Google’s public vulnerability reporting channels have not released an advisory as of publication (Android Security Bulletin).

Key Mechanisms

Permission Abuse: PromptSpy requests Accessibility Service and Device Admin, which are known vectors for advanced malware (Android Developer Documentation).
Assistant API Exploitation: The malware invokes local Gemini-based assistant APIs to generate responses and automate interaction, simulating legitimate prompts.
Stealth & Persistence: By combining assistant automation and system-level privileges, PromptSpy can elude typical app removal processes, restart itself after reboot, and mimic trusted system processes (ThreatFabric Blog).

Technical Breakdown: How PromptSpy Hijacks Gemini and Android

Gemini Integration: Fact vs. Hype

ThreatFabric’s malware analysts detailed PromptSpy’s use of on-device Assistant APIs. Gemini (Google’s generative AI, deployed in devices and cloud) responds to context-aware user queries via Android’s Assist intent. PromptSpy leverages these local APIs, not remote LLM endpoints. The malware crafts payloads that use Gemini’s responses to convince users of legitimacy or automate device actions, but Gemini does not directly execute malicious code. Instead, PromptSpy controls command execution after receiving Gemini-generated context-aware prompts (ThreatFabric Technical Report).

Technical Constraints: A generative language model, whether Gemini or GPT, can synthesize text and contextual prompts but cannot directly invoke privileged device actions. PromptSpy’s novelty is in chaining Gemini-like responses with high-privilege Android APIs (Accessibility, Device Admin), thereby blending malicious behavior with legitimate user interaction.

Persistence Tactics

PromptSpy achieves persistence through:

Accessibility Service abuse: Enables continuous monitoring of user actions, disabling intended removal steps, and auto-restarting services.
Foreground Service with Wake Locks: Maintains background operation even if the user attempts to close the app.
Device Admin privileges: Prevents easy uninstallation via Settings.
No evidence supports the claim of ‘Recent Apps’ persistence via multitasking lists; instead, PromptSpy exploits system APIs for uninterrupted operation (ThreatFabric Blog, Android Developer API Docs).

Data Exfiltration

PromptSpy harvests:

Screenshots via Accessibility
Lockscreen data interception
Device telemetry (IMEI, SIM info, contact lists)
Credential theft by overlaying fake login screens (ThreatFabric Technical Report).

Indicators of Compromise (IOCs) & Detection

IOCs Published by ThreatFabric (Report)

Sample SHA256 hashes:
- fbcad6901c19d89b5ed7879e12441c22e928b593e7fc10bcd34a213c077216d7
- a1c3d3b71ad8c487e2dc50c703d7b1e169eab5827c9dbb2e7fced5e32761719d
App Package Names: com.promptspy.app, variants mimicking system apps.
C2 Domains/IPs: promptspy[.]net, rotating IPs as listed in ThreatFabric's report.
Suspicious Permissions: android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.DEVICE_ADMIN, android.permission.SYSTEM_ALERT_WINDOW, android.permission.READ_SMS
Behavioral Patterns: High-frequency foreground service use, unexplained Accessibility permission requests, rapid battery drain.

YARA Rules & Signatures: Available via ThreatFabric’s public GitHub (ThreatFabric YARA Rules).

If your device exhibits any of the above behaviors or apps, run a full scan using Google Play Protect (Play Protect Guidance) and consult AV vendor tools (Kaspersky, ESET, Trend Micro).

Practical Remediation & Hardening Checklist

For Consumers

Safe Mode Uninstall: Restart Android in safe mode, attempt to uninstall suspicious apps via Settings (see Android Help).
Revoke Accessibility & Device Admin: Go to Settings > Accessibility/services and Device Admin; revoke privileges from unknown apps.
Run Play Protect & AV Scans: Update Google Play Protect, run full device scan, and follow recommendations (Play Protect Guidance).
Backup Data Securely: Use cloud or encrypted SD backup before factory reset.
Factory Reset (if required): Backup first; wipe system via Settings > System > Reset options (Android Factory Reset).

For Enterprises

Blocklist IOCs: Deploy ThreatFabric-provided hashes, package names, C2 domains to EDR/IDS firewalls.
Update MDM Policies: Push policies to restrict Accessibility and Device Admin requests to vetted apps only.
Run AV/Play Protect Fleet Scans: Schedule automated mobile scans, remediate detected malware.
Revoke Compromised OAuth/API keys: Rotate keys and credentials if compromise is suspected.
Report Incidents: Use Google Play Protect security reporting (Google Security Reporting), and notify local CERT if detected (US-CERT Android Guidance).

Do not attempt removal by rooting or manual file deletion unless supported by vendor guidance; this can brick devices and void warranties.

PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence

Responsible Disclosure & Safety Note

ThreatFabric has published technical details and IOCs but has not released exploit code. Coordinated disclosure ensures that security vendors receive sample access for defense. Publication does not expose step-by-step abuse instructions or privileged API bypasses (ThreatFabric Coordinated Disclosure Statement).

How This Was Verified

This report aggregates primary findings from ThreatFabric’s technical blog (ThreatFabric PromptSpy Report), Android developer docs, and public incident databases; no direct sample analysis was performed. Contact was attempted with ThreatFabric via email, but no reply was received by press time. Independent analysis from ESET, Kaspersky, and AV labs will be linked as available.

Opinion: AI-Driven Malware—What’s Next?

SPECULATION: As generative AI assistants like Gemini become embedded across Android and enterprise ecosystems, malware families will increasingly exploit local assistant APIs to automate interaction, social engineering, and persistence. Current evidence limits LLMs to text generation, not direct device command execution. However, chaining context-aware assistant prompts with privilege escalation (Accessibility, Device Admin) poses a growing attack surface for adaptive, AI-aided malware.

Security engineers should prioritize least-privilege design, API authentication, and prompt validation when integrating Gemini, GPT, or other LLMs (Google Gemini Security Best Practices).

Recommendations for Google, Developers & Policy Makers

Enforce stricter privilege separation in Android for Accessibility/Device Admin APIs; gate with signed requests and visible warning prompts.
Require input sanitization and prompt validation for all assistant/LLM integrations, avoiding unfiltered third-party inputs (Google AI Security Guidance).
Sandbox assistant actions, block all privileged intents except where explicitly authorized.
Implement anomaly detection for repeated assistant prompt abuse, high-frequency Accessibility requests, foreground service persistence (Android Enterprise Security).
Developers should integrate logging/auditing for assistant API usage, and enforce rate limits to minimize prompt abuse risk (Android Security Guidelines).

FAQ

Is my phone at risk from PromptSpy?

If you have installed apps from unofficial sources or granted Accessibility/Device Admin permissions to unfamiliar apps, you may be at risk (ThreatFabric Report).

How does Gemini get involved?

PromptSpy leverages local assistant APIs (Gemini/Google Assistant), using their responses to automate malicious workflows. Gemini generates text; PromptSpy executes system actions with high privileges (ThreatFabric Technical Report).

Can LLMs execute malware?

No. LLMs generate text and prompts. Malware such as PromptSpy exploits system APIs to carry out commands, often after receiving assistant responses (Android Developer Docs).

How do I check for PromptSpy?

Review Accessibility and Device Admin permissions in Settings. Look for unknown apps, run Play Protect and AV scans, and consult vendor support if suspicious activity occurs (Play Protect Guidance).

Sources

Read our Android Security Guide | Prior Coverage on AI Abuse

← More Articles