Reported by SecurityWeek on February 20, 2026, PromptSpy is a newly identified Android malware family developed by threat actors. Its standout capability is using Google Gemini at runtime to analyze on‑screen content and help the malware remain installed and active on infected devices. Review this Cybersecurity Threat Advisory now to protect your systems.
What is the threat?
PromptSpy is an Android malware strain delivered through malicious apps (APKs). Its defining behavior is using Google Gemini in real time to interpret on‑screen elements. This allows the malware to decide how to react when users open security settings, app‑management pages, or removal dialogs, making it significantly harder to uninstall.
The malware watches the UI, calls Gemini to interpret it, and changes its behavior to keep permissions and services running. This AI‑based decision making gives PromptSpy an advantage over malware that depends on fixed UI assumptions.
Why is it noteworthy?
Early example of AI-assisted mobile malware
PromptSpy is one of the first publicly observed Android malware families that integrates a generative AI system during execution, not just development. It demonstrates how attackers are evolving from using AI to write code to using AI as an active component in malware behavior.
Adaptive persistence through UI understanding
By offloading UI interpretation to Gemini, PromptSpy avoids brittle rules tied to specific button placements, versions, or languages. This gives it stronger persistence across Android builds, OEM skins, and localized interfaces and helps it respond more flexibly when users attempt to access App Info, Security, or Uninstall screens.
More difficult to detect using traditional heuristics
AI‑guided behaviors can vary based on context. This makes them harder for security tools relying on static signatures or predictable behavior patterns to detect. Systems designed to identify fixed workflows may miss dynamically generated, AI‑driven actions.
A signal of future malware trends
PromptSpy shows adversaries can integrate commercial AI platforms directly into malware. Future families could expand this approach to bypass security dialogs, identify high‑value data for exfiltration, or craft social engineering prompts in real time.
What is the exposure or risk?
Once installed, PromptSpy presents several risks:
- Long‑term unauthorized access: AI‑driven persistence makes removal difficult, enabling sustained attacker control.
- Privacy and data exposure: It can access messaging, email, and app content, creating opportunities for data theft, exposure of authentication codes, and compromise of personal or corporate information.
- Remote device interaction: PromptSpy supports interactive remote control, giving attackers real‑time visibility into the device UI and allowing them to perform actions as if physically holding the device.
- Secondary abuse: Compromised devices may be used for further fraud, botnet activity, or even bypassing MFA if attackers interact with the device when codes appear.
For enterprises managing corporate or BYOD Android devices, PromptSpy can lead to data leakage, shadow access to internal workflows, and extended dwell time—especially when MDM/EDR visibility is limited. Its AI‑assisted persistence also makes it harder for users to remove once installed.
What are the recommendations?
Barracuda strongly recommends taking the following actions:
- Limit installations to Google Play or trusted enterprise stores. Use MDM/EMM tools to allow‑list approved apps and block sideloading where possible.
- Regularly audit apps using Accessibility Services, overlay features, screen recording, or other high‑risk privileges. Remove or closely monitor apps requesting broad permissions outside valid business needs.
- Use reputable mobile AV/EDR solutions capable of detecting malicious packages and abnormal service behavior. Integrate mobile alerts into SOC workflows.
- Ensure Android security patches and key apps remain current. Encourage users not to disable built‑in protections such as Google Play Protect.
- Educate users on the risks of third‑party app stores, malicious links, and unusual device behavior. Establish clear steps for suspected compromise, including isolation, data backup, factory reset, and MDM re‑enrollment.
- Incorporate AI‑aware threat models that assume malware can interpret UI context via external AI services. Monitor for suspicious app‑to‑AI‑platform traffic and work with mobile security vendors to ensure detection of context‑driven malware behavior.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.