Category: Mobile Security

Android malware just learned to ask for directions — from Gemini

A new strain of Android spyware called PromptSpy has put a chill in the security world by doing something we’ve only warned about in hypotheticals: it queries a large language model at runtime to decide what to do next. Instead of relying solely on brittle, hardcoded scripts that break across phone models and launchers, PromptSpy asks Google’s Gemini to interpret what’s on the screen and return step-by-step gestures to keep itself running and hard to remove.

It sounds like sci‑fi. It’s real. And even if this particular sample looks like a limited proof of concept, the implications are worth taking seriously.

Why this matters

• PromptSpy is the first reported Android malware to integrate generative AI into its execution flow. That means an attacker can outsource part of the “how” to a model that understands language and UI descriptions, rather than trying to write brittle device‑specific navigation code. (globenewswire.com)
• The malware uses Gemini to analyze an XML “dump” of the screen (UI element labels, class names, coordinates) and asks the model how to perform gestures (taps, swipes, long presses) to, for example, pin the malicious app in the Recent Apps list so it can’t be easily swiped away. That persistence trick — paired with accessibility abuse and a VNC module — turns a compromised phone into a remotely controllable device. (globenewswire.com)
• This isn’t yet a massive outbreak. ESET’s initial research and telemetry don’t show widespread infections; distribution appears to be via a malicious domain and sideloaded APKs (not Google Play). Still, the technique expands the attacker toolbox. (globenewswire.com)

The anatomy of PromptSpy (plain English)

• The app arrives outside the Play Store (phishing / fake bank site distribution).
• It requests Accessibility permissions — that’s the red flag to watch for. With those permissions it can read UI elements and simulate touches.
• PromptSpy captures an XML snapshot of what’s on screen and sends that, with a natural-language prompt, to Gemini.
• Gemini returns structured instructions (JSON) with coordinates and gesture types.
• The malware repeats the loop until Gemini confirms the desired state (e.g., the app is locked in the Recent Apps view).
• Meanwhile it can deploy a built-in VNC server to let operators observe and control the device, capture screenshots and video, and block uninstallation via invisible overlays. (globenewswire.com)

What the vendors are saying

• ESET, which discovered PromptSpy, named and analyzed the family and warned about the adaptability that generative AI brings to UI-driven malware. They emphasized that the Gemini component was used for a narrow but strategic purpose — persistence — and that the model and prompts were hard-coded into the sample. (globenewswire.com)
• Google has noted that devices with Google Play Protect enabled are protected from known PromptSpy variants, and that the malware has not been observed in the Play Store. Google and other platforms are already using AI in defensive workflows, and Play Protect flagged the known samples. That said, the prescriptive takeaway from Google and researchers is: don’t sideload unknown apps and be suspicious of Accessibility requests. (helentech.jp)
• Security teams have previously shown LLMs can be “prompted” into unsafe actions (so‑called prompt‑exploitation), and other threat research has already demonstrated experiments where malware queries LLMs for obfuscation or evasion tactics. PromptSpy is the first high‑profile example of a mobile threat using a model to make runtime UI decisions. (cloud.google.com)

Practical advice for users and admins

• Treat Accessibility permission requests as extremely sensitive. Only grant them to well-known, trusted apps that explicitly need them (e.g., assistive tools you intentionally installed). PromptSpy relies on Accessibility abuse to operate. (globenewswire.com)
• Keep Play Protect enabled and your device updated. Google says Play Protect detects known PromptSpy variants and the sample was not found in Google Play — meaning the main exposure vector is sideloading. (helentech.jp)
• Don’t install APKs from untrusted websites. Even a convincing “bank app” landing page can be a trap.
• If you suspect infection: reboot to Safe Mode (which disables third‑party apps) and uninstall the suspicious app from Settings → Apps. If removal is blocked, Safe Mode should allow you to remove it. (globenewswire.com)
• Enterprises should monitor for unusual Accessibility API usage and VNC‑like activity, and enforce app installation policies that block sideloading where possible.

Bigger picture: a step change in attacker workflows

PromptSpy is not a finished army of super‑malware; it’s an inflection point. A few things to keep in mind:

• Outsourcing UI logic to an LLM lowers the development cost and time for attackers who want their malware to work across many devices and OEM interfaces. That expands the potential victim pool without requiring extensive per‑device engineering. (globenewswire.com)
• Right now the model and prompts were embedded in the sample, not letting the attacker dynamically reprogram behavior on the fly. But as attackers iterate, we can expect more dynamic patterns: just‑in‑time code snippets, adaptive obfuscation, or model‑assisted social engineering. (globenewswire.com)
• Defenders are also using AI. Google and other vendors are integrating generative models into detection and app review. That creates an arms race where models will be used on both sides — but history shows defensive systems must evolve faster than attackers to keep users safe. (tech.yahoo.com)

My take

PromptSpy should be a wake‑up call, not a panic button. The malware demonstrates a plausible and worrying technique — using an LLM to adapt UI interactions in the wild — but it also highlights where traditional defenses still work: cautious app sourcing, permission hygiene, Play Protect and safe removal procedures. The bigger risk is what comes next, not this single sample: models make it easier to automate tasks that were once fiddly and fragile. Expect attackers to test and reuse these ideas, and expect defenders to double down on detecting model‑assisted behavior.

Security in an era of ubiquitous generative AI is going to be a cat‑and‑mouse game where the mice learned to read maps. Keep your guard up.

Readable summary

• PromptSpy is the first widely reported Android malware to query a generative model (Gemini) at runtime to adapt UI actions for persistence. (globenewswire.com)
• It relies on Accessibility abuse, has a VNC component, and was distributed outside the Play Store. Play Protect reportedly detects known variants. (globenewswire.com)
• Protect yourself by avoiding sideloads, rejecting suspicious Accessibility requests, keeping Play Protect and updates enabled, and using Safe Mode removal if needed. (globenewswire.com)

Sources

• ESET Research discovers PromptSpy, the first Android threat to use generative AI — ESET press release.
  https://www.globenewswire.com/news-release/2026/02/19/3241357/0/en/ESET-Research-discovers-PromptSpy-the-first-Android-threat-to-use-generative-AI.html

• Android malware is now using Google’s own Gemini AI to adapt in real time — Android Authority.
  https://www.androidauthority.com/android-malware-promptspy-uses-generative-ai-gemini-3642832/

• PromptSpy Android malware abuses Google Gemini AI for persistence — CyberInsider (technical breakdown).
  https://cyberinsider.com/promptspy-android-malware-abuses-google-gemini-ai-for-persistence/

• Google says its AI systems helped deter Play Store malware in 2025 — reporting on Play Protect and Google’s stance.
  https://tech.yahoo.com/ai/gemini/articles/google-says-ai-systems-helped-212739930.html

• GTIG AI Threat Tracker: Experimental malware using Gemini for self‑modification — Google Cloud blog (background on LLMs being experimented with in malware).
  https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools

Finally: WhatsApp will let you run more than one account on the same iPhone

Imagine juggling personal texts, customer messages, and that group chat you can’t quit — all inside the same WhatsApp app, without awkward workarounds. Meta has quietly started rolling out a TestFlight beta that does exactly that: native multi-account support for iPhone users. For anyone tired of switching devices or installing a second app, this could be the small change that makes daily messaging a lot less messy.

Why this matters right now

• iPhone users have long relied on hacks — a separate WhatsApp Business app, cloning apps on Android, or carrying two devices — to run multiple WhatsApp numbers.
• Meta is testing a native solution in the WhatsApp beta for iOS via TestFlight, which signals the feature is moving from code hints into real-world use.
• The beta currently supports up to two accounts that live inside a single app, with separate chat histories, backups, and notification settings.

What the TestFlight beta actually does

• Adds an "Account List" section to Settings (or a quick button near your profile QR code) so you can add and switch accounts from inside the app. (9to5mac.com)
• Lets you add:
  • A brand-new number (never registered on WhatsApp),
  • An account already used elsewhere (including WhatsApp Business), or
  • A “companion” account by scanning a QR code from another phone. (9to5mac.com)
• Keeps each account’s chats, backups, notification tones, and privacy settings separate — so your work alerts won’t clutter your personal DMs. (macrumors.com)
• Shows which account a notification belongs to, to reduce confusion when messages arrive. (macrumors.com)

A few usability notes from the beta reports

• The testing build is limited to a subset of TestFlight users; there’s no official public release date yet. (9to5mac.com)
• Switching is designed to be fast: quick taps or holds on the Settings tab let you toggle accounts without logging in and out. (macrumors.com)
• The feature appears to respect App Lock (Face ID/Touch ID/passcode) so protected accounts stay secure when switching. (macrumors.com)

Why Meta is likely doing this now

• Platform parity and convenience: Instagram and Facebook already let users manage multiple accounts, and bringing parity to WhatsApp removes friction for people who use multiple identities (personal, freelance, business). (macrumors.com)
• Growing multi-SIM and eSIM use: many people have more than one number linked to their single iPhone, so native multi-account support meets a real user need.
• Product simplification: reducing the need for WhatsApp Business as a workaround means fewer apps to manage and better retention inside the primary WhatsApp experience.

Possible wrinkles and open questions

• How many accounts will the final public release support? The beta is capped at two, but that could change.
• How will backups interact with iCloud storage limits and account-specific encryption? Reports say backups stay separate, but details on storage and restore flows could affect adoption. (9to5mac.com)
• Enterprise and compliance: businesses that rely on integrations or multi-user tools may need updated workflows if account linking behaves differently than existing companion modes.

What this means for different users

• For freelancers and solopreneurs: less app-hopping and cleaner separation between client and personal chats.
• For small business owners: easier management without forcing a switch to WhatsApp Business (though Business still has specialized tools).
• For families and power users: clearer notification boundaries and fewer accidental replies from the wrong account.

A few practical tips for testers

• If you’re on TestFlight and see the Account List, try adding a second account and test notifications so you understand which account receives what.
• Test backups and restores for each account separately to confirm iCloud behavior matches your expectations.
• Use App Lock for any account with sensitive chats to keep switching secure.

My take

This is one of those unglamorous but impactful product moves: not new technology, but a quality-of-life improvement that changes how people actually use the app every day. If Meta executes the final release cleanly — clear notification labels, reliable backups, and straightforward account management — this will quickly feel indispensable for anyone who juggles more than one WhatsApp number on an iPhone.

Sources

• WhatsApp will finally support multiple accounts on the same iPhone — 9to5Mac.
  https://9to5mac.com/2025/11/18/whatsapp-beta-multiple-accounts-iphone/ (9to5mac.com)

• WhatsApp Tests Multiple Account Support in iPhone Beta — MacRumors.
  https://www.macrumors.com/2025/11/19/whatsapp-tests-multiple-account-support-ios/ (macrumors.com)

• WhatsApp beta for iOS introduces initial support for multiple accounts — Gadgets360.
  https://www.gadgets360.com/apps/news/whatsapp-multi-account-support-on-ios-beta-report-9657555 (gadgets360.com)

• WhatsApp For iOS Finally Rolls Out Multi-Account Support For Testers — BGR.
  https://bgr.com/2030721/whatsapp-ios-multi-account-support-testers/ (bgr.com)