Category: Threat Intelligence

Android malware just learned to ask for directions — from Gemini

A new strain of Android spyware called PromptSpy has put a chill in the security world by doing something we’ve only warned about in hypotheticals: it queries a large language model at runtime to decide what to do next. Instead of relying solely on brittle, hardcoded scripts that break across phone models and launchers, PromptSpy asks Google’s Gemini to interpret what’s on the screen and return step-by-step gestures to keep itself running and hard to remove.

It sounds like sci‑fi. It’s real. And even if this particular sample looks like a limited proof of concept, the implications are worth taking seriously.

Why this matters

• PromptSpy is the first reported Android malware to integrate generative AI into its execution flow. That means an attacker can outsource part of the “how” to a model that understands language and UI descriptions, rather than trying to write brittle device‑specific navigation code. (globenewswire.com)
• The malware uses Gemini to analyze an XML “dump” of the screen (UI element labels, class names, coordinates) and asks the model how to perform gestures (taps, swipes, long presses) to, for example, pin the malicious app in the Recent Apps list so it can’t be easily swiped away. That persistence trick — paired with accessibility abuse and a VNC module — turns a compromised phone into a remotely controllable device. (globenewswire.com)
• This isn’t yet a massive outbreak. ESET’s initial research and telemetry don’t show widespread infections; distribution appears to be via a malicious domain and sideloaded APKs (not Google Play). Still, the technique expands the attacker toolbox. (globenewswire.com)

The anatomy of PromptSpy (plain English)

• The app arrives outside the Play Store (phishing / fake bank site distribution).
• It requests Accessibility permissions — that’s the red flag to watch for. With those permissions it can read UI elements and simulate touches.
• PromptSpy captures an XML snapshot of what’s on screen and sends that, with a natural-language prompt, to Gemini.
• Gemini returns structured instructions (JSON) with coordinates and gesture types.
• The malware repeats the loop until Gemini confirms the desired state (e.g., the app is locked in the Recent Apps view).
• Meanwhile it can deploy a built-in VNC server to let operators observe and control the device, capture screenshots and video, and block uninstallation via invisible overlays. (globenewswire.com)

What the vendors are saying

• ESET, which discovered PromptSpy, named and analyzed the family and warned about the adaptability that generative AI brings to UI-driven malware. They emphasized that the Gemini component was used for a narrow but strategic purpose — persistence — and that the model and prompts were hard-coded into the sample. (globenewswire.com)
• Google has noted that devices with Google Play Protect enabled are protected from known PromptSpy variants, and that the malware has not been observed in the Play Store. Google and other platforms are already using AI in defensive workflows, and Play Protect flagged the known samples. That said, the prescriptive takeaway from Google and researchers is: don’t sideload unknown apps and be suspicious of Accessibility requests. (helentech.jp)
• Security teams have previously shown LLMs can be “prompted” into unsafe actions (so‑called prompt‑exploitation), and other threat research has already demonstrated experiments where malware queries LLMs for obfuscation or evasion tactics. PromptSpy is the first high‑profile example of a mobile threat using a model to make runtime UI decisions. (cloud.google.com)

Practical advice for users and admins

• Treat Accessibility permission requests as extremely sensitive. Only grant them to well-known, trusted apps that explicitly need them (e.g., assistive tools you intentionally installed). PromptSpy relies on Accessibility abuse to operate. (globenewswire.com)
• Keep Play Protect enabled and your device updated. Google says Play Protect detects known PromptSpy variants and the sample was not found in Google Play — meaning the main exposure vector is sideloading. (helentech.jp)
• Don’t install APKs from untrusted websites. Even a convincing “bank app” landing page can be a trap.
• If you suspect infection: reboot to Safe Mode (which disables third‑party apps) and uninstall the suspicious app from Settings → Apps. If removal is blocked, Safe Mode should allow you to remove it. (globenewswire.com)
• Enterprises should monitor for unusual Accessibility API usage and VNC‑like activity, and enforce app installation policies that block sideloading where possible.

Bigger picture: a step change in attacker workflows

PromptSpy is not a finished army of super‑malware; it’s an inflection point. A few things to keep in mind:

• Outsourcing UI logic to an LLM lowers the development cost and time for attackers who want their malware to work across many devices and OEM interfaces. That expands the potential victim pool without requiring extensive per‑device engineering. (globenewswire.com)
• Right now the model and prompts were embedded in the sample, not letting the attacker dynamically reprogram behavior on the fly. But as attackers iterate, we can expect more dynamic patterns: just‑in‑time code snippets, adaptive obfuscation, or model‑assisted social engineering. (globenewswire.com)
• Defenders are also using AI. Google and other vendors are integrating generative models into detection and app review. That creates an arms race where models will be used on both sides — but history shows defensive systems must evolve faster than attackers to keep users safe. (tech.yahoo.com)

My take

PromptSpy should be a wake‑up call, not a panic button. The malware demonstrates a plausible and worrying technique — using an LLM to adapt UI interactions in the wild — but it also highlights where traditional defenses still work: cautious app sourcing, permission hygiene, Play Protect and safe removal procedures. The bigger risk is what comes next, not this single sample: models make it easier to automate tasks that were once fiddly and fragile. Expect attackers to test and reuse these ideas, and expect defenders to double down on detecting model‑assisted behavior.

Security in an era of ubiquitous generative AI is going to be a cat‑and‑mouse game where the mice learned to read maps. Keep your guard up.

Readable summary

• PromptSpy is the first widely reported Android malware to query a generative model (Gemini) at runtime to adapt UI actions for persistence. (globenewswire.com)
• It relies on Accessibility abuse, has a VNC component, and was distributed outside the Play Store. Play Protect reportedly detects known variants. (globenewswire.com)
• Protect yourself by avoiding sideloads, rejecting suspicious Accessibility requests, keeping Play Protect and updates enabled, and using Safe Mode removal if needed. (globenewswire.com)

Sources

• ESET Research discovers PromptSpy, the first Android threat to use generative AI — ESET press release.
  https://www.globenewswire.com/news-release/2026/02/19/3241357/0/en/ESET-Research-discovers-PromptSpy-the-first-Android-threat-to-use-generative-AI.html

• Android malware is now using Google’s own Gemini AI to adapt in real time — Android Authority.
  https://www.androidauthority.com/android-malware-promptspy-uses-generative-ai-gemini-3642832/

• PromptSpy Android malware abuses Google Gemini AI for persistence — CyberInsider (technical breakdown).
  https://cyberinsider.com/promptspy-android-malware-abuses-google-gemini-ai-for-persistence/

• Google says its AI systems helped deter Play Store malware in 2025 — reporting on Play Protect and Google’s stance.
  https://tech.yahoo.com/ai/gemini/articles/google-says-ai-systems-helped-212739930.html

• GTIG AI Threat Tracker: Experimental malware using Gemini for self‑modification — Google Cloud blog (background on LLMs being experimented with in malware).
  https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools

The internet in your living room was leaking — and Google just swatted a giant fly

A few weeks ago (January 28, 2026), Google’s Threat Intelligence Group announced a coordinated action that reads like a cyber-thriller: it seized domains, kicked malicious apps out of Android, and worked with industry partners to dismantle what researchers say was one of the world’s largest residential proxy networks — operated by a company commonly referred to as IPIDEA. The headline detail is blunt: millions of everyday devices — home routers, set‑top boxes, phones and PCs — were being quietly turned into exit nodes that masked the activity of criminal and state‑linked hackers.

This matters because residential proxies don’t just anonymize web browsing. They let attackers hide behind seemingly normal home internet traffic to break into corporate systems, exfiltrate data, run botnets, and stage espionage campaigns. When those exit nodes live inside your apartment or your aunt’s tiny business router, the problem becomes intimate, local — and harder to police at scale.

Why this takedown is unusual

• It targeted the business model behind a sprawling “gray market” rather than a single malware family.
• Google combined technical defensive moves (Play Protect updates), legal tools (domain seizures), and industry coordination (DNS blocking, partner intelligence) to degrade the network.
• The network reportedly serviced hundreds of malicious brands and SDKs embedded across platforms, meaning infection vectors ranged from trojanized apps to preinstalled payloads on cheap hardware.

The action Google described was reported across major outlets and followed weeks of analysis by threat hunters who mapped the two‑tier command-and-control architecture that assigned proxy tasks to enrolled devices. The public claims: in a single seven‑day window in January, more than 550 tracked threat groups used IPIDEA-linked IPs to cloak activity. Google said its steps “reduced the available pool of devices for the proxy operators by millions.” (Date of the disruption announcement: January 28, 2026.)

A quick primer: what are residential proxy networks?

• Residential proxy: a service that routes internet traffic through IP addresses assigned to consumer ISPs — so web requests look like they originate from real homes.
• Legitimate uses: ad verification, localized scraping for price comparison, or bypassing certain geo-restrictions when done transparently.
• Abusive uses: blending malicious traffic with normal residential browsing to evade detection; staging credential spraying; accessing corporate services while appearing as a domestic user; operating botnets and command channels.

IPIDEA’s alleged method was notable: sell SDKs or “monetization” tools to app developers, or ship off‑brand devices with proxy code preinstalled. That created a huge, distributed pool of real‑world IPs available to paying customers — some criminal, some state‑linked.

What happened on January 28, 2026

• Google’s Threat Intelligence Group (GTIG) pursued legal orders to take down the control domains used by IPIDEA.
• Google Play Protect was updated to detect and remove hundreds of apps linked to the operation.
• Google shared technical indicators with partners and ISPs; firms such as Cloudflare and some threat‑intel groups helped block DNS and mapping infrastructure.
• Media and security researchers published timelines and lists of affected SDKs and proxy brands; reporting tied the network to multiple botnet campaigns and malicious toolkits.

Sources reporting the operation estimated that millions of devices were removed from the proxy pool and that dozens of brands and SDK families were disrupted.

Why this is a national‑security and consumer problem at the same time

• Scale and stealth: when exit nodes are ordinary homes, defenders see “normal” traffic. That makes attribution and mitigation expensive and slow.
• Dual‑use plumbing: many of the same tools can be framed as “legitimate” privacy or monetization services — which complicates takedowns and legal responses.
• Supply‑chain angle: preloaded firmware or uncertified hardware with hidden proxy payloads means customers may be compromised before they power the device.
• State interest: security briefings and law‑enforcement filings in recent years tie residential proxy ecosystems to state‑linked espionage and large router compromises, elevating this beyond mere fraud.

What ordinary users should know (and do)

• Your device might be part of a proxy network without obvious signs. Check for unknown apps, especially utilities or “monetization” tools, and remove suspicious ones.
• Keep firmware and OS software updated; buy devices from reputable vendors; be wary of cheap off‑brand boxes that advertise a lot of bundled functionality.
• Use network monitoring where possible: check for unexplained outbound connections or unfamiliar services bound to your router.
• Change default router passwords and disable remote‑management features if you don’t use them.

What this takedown does — and doesn’t — solve

• It’s a strong, high‑impact disruption: removing command domains and evicting malicious apps can cripple an operator’s ability to coordinate millions of exit nodes.
• But it’s not a permanent cure: the residential‑proxy market is large, commercially motivated, and resilient. Operators can rebrand, change SDKs, or migrate to other infrastructure. Cheap hardware suppliers and eager app monetizers create fresh vectors.
• Long term progress requires more than technical takedowns: cross‑industry cooperation, clearer legal frameworks for deceptive SDK practices, and improved device supply‑chain security.

What to watch next

• Will regulators pivot to target the business side — SDK vendors, app monetization marketplaces, or retailers of uncertified devices?
• Will other major platform owners match Google’s approach (e.g., app‑store blocks, domain‑seizure cooperation)?
• Will threat actors move toward decentralization (peer‑to‑peer proxies) or new monetization channels that are harder to interdict?

Things to remember

• Residential proxies exploit trust: traffic coming from a home IP looks normal, which attackers weaponize.
• Disruption can be effective at scale, but the underlying market incentives still exist.
• Consumer vigilance and industry partnership are both required to keep this class of abuse in check.

My take

This was a high‑leverage move: attacking the control plane and the supply channels of a sprawling proxy business hits an ecosystem where the marginal cost of misbehavior is low but the upside for attackers is huge. Google’s action will cause real, measurable harm to operators who relied on scale and obscurity — and it signals that platform defenders are willing to combine technical, legal, and cooperative tools to protect users.

But the takeaway shouldn’t be complacency. The incentives that built this “gray market” are intact: monetization pressure for developers, low‑cost hardware manufacturers, and demand from bad actors who prize plausible domestic IPs. Expect more takedowns, but also expect adaptation. For everyday users, the safest posture remains hygiene: don’t install sketchy system‑style apps, keep devices updated, and treat cheap “preloaded” hardware with suspicion.

Sources

• Google Threat Intelligence Group — Disrupting the World's Largest Residential Proxy Network (summary articles and GTIG coverage).
  https://www.reuters.com/technology/google-disrupts-large-residential-proxy-network-reducing-devices-used-operators-by-millions-2026-01-28/ (Reuters coverage of GTIG announcement)

• United States Department of Justice — Court‑Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State‑Sponsored Hackers (September 18, 2024).
  https://www.justice.gov/opa/pr/court-authorized-operation-disrupts-worldwide-botnet-used-peoples-republic-china-state

• Tech and cybersecurity reporting on the January 28, 2026 disruption (overview of GTIG findings and industry coordination).
  https://www.techradar.com/pro/security/we-believe-our-actions-have-seriously-impacted-one-of-the-largest-residential-proxy-providers-google-takes-the-fight-to-ipidea-and-removes-millions-of-devices-from-criminal-network

• Cybersecurity coverage summarizing GTIG’s takedown and technical details of IPIDEA.
  https://cybernews.com/security/google-shuts-down-ipidea-proxy-network-home-internet/

Note: coverage and technical writeups published January 28–29, 2026 formed the basis for this post. The Wall Street Journal reported an exclusive framing of the story; other outlets and Google’s GTIG materials provide public technical detail and context.