Tag: app sideloading

Android malware just learned to ask for directions — from Gemini

A new strain of Android spyware called PromptSpy has put a chill in the security world by doing something we’ve only warned about in hypotheticals: it queries a large language model at runtime to decide what to do next. Instead of relying solely on brittle, hardcoded scripts that break across phone models and launchers, PromptSpy asks Google’s Gemini to interpret what’s on the screen and return step-by-step gestures to keep itself running and hard to remove.

It sounds like sci‑fi. It’s real. And even if this particular sample looks like a limited proof of concept, the implications are worth taking seriously.

Why this matters

• PromptSpy is the first reported Android malware to integrate generative AI into its execution flow. That means an attacker can outsource part of the “how” to a model that understands language and UI descriptions, rather than trying to write brittle device‑specific navigation code. (globenewswire.com)
• The malware uses Gemini to analyze an XML “dump” of the screen (UI element labels, class names, coordinates) and asks the model how to perform gestures (taps, swipes, long presses) to, for example, pin the malicious app in the Recent Apps list so it can’t be easily swiped away. That persistence trick — paired with accessibility abuse and a VNC module — turns a compromised phone into a remotely controllable device. (globenewswire.com)
• This isn’t yet a massive outbreak. ESET’s initial research and telemetry don’t show widespread infections; distribution appears to be via a malicious domain and sideloaded APKs (not Google Play). Still, the technique expands the attacker toolbox. (globenewswire.com)

The anatomy of PromptSpy (plain English)

• The app arrives outside the Play Store (phishing / fake bank site distribution).
• It requests Accessibility permissions — that’s the red flag to watch for. With those permissions it can read UI elements and simulate touches.
• PromptSpy captures an XML snapshot of what’s on screen and sends that, with a natural-language prompt, to Gemini.
• Gemini returns structured instructions (JSON) with coordinates and gesture types.
• The malware repeats the loop until Gemini confirms the desired state (e.g., the app is locked in the Recent Apps view).
• Meanwhile it can deploy a built-in VNC server to let operators observe and control the device, capture screenshots and video, and block uninstallation via invisible overlays. (globenewswire.com)

What the vendors are saying

• ESET, which discovered PromptSpy, named and analyzed the family and warned about the adaptability that generative AI brings to UI-driven malware. They emphasized that the Gemini component was used for a narrow but strategic purpose — persistence — and that the model and prompts were hard-coded into the sample. (globenewswire.com)
• Google has noted that devices with Google Play Protect enabled are protected from known PromptSpy variants, and that the malware has not been observed in the Play Store. Google and other platforms are already using AI in defensive workflows, and Play Protect flagged the known samples. That said, the prescriptive takeaway from Google and researchers is: don’t sideload unknown apps and be suspicious of Accessibility requests. (helentech.jp)
• Security teams have previously shown LLMs can be “prompted” into unsafe actions (so‑called prompt‑exploitation), and other threat research has already demonstrated experiments where malware queries LLMs for obfuscation or evasion tactics. PromptSpy is the first high‑profile example of a mobile threat using a model to make runtime UI decisions. (cloud.google.com)

Practical advice for users and admins

• Treat Accessibility permission requests as extremely sensitive. Only grant them to well-known, trusted apps that explicitly need them (e.g., assistive tools you intentionally installed). PromptSpy relies on Accessibility abuse to operate. (globenewswire.com)
• Keep Play Protect enabled and your device updated. Google says Play Protect detects known PromptSpy variants and the sample was not found in Google Play — meaning the main exposure vector is sideloading. (helentech.jp)
• Don’t install APKs from untrusted websites. Even a convincing “bank app” landing page can be a trap.
• If you suspect infection: reboot to Safe Mode (which disables third‑party apps) and uninstall the suspicious app from Settings → Apps. If removal is blocked, Safe Mode should allow you to remove it. (globenewswire.com)
• Enterprises should monitor for unusual Accessibility API usage and VNC‑like activity, and enforce app installation policies that block sideloading where possible.

Bigger picture: a step change in attacker workflows

PromptSpy is not a finished army of super‑malware; it’s an inflection point. A few things to keep in mind:

• Outsourcing UI logic to an LLM lowers the development cost and time for attackers who want their malware to work across many devices and OEM interfaces. That expands the potential victim pool without requiring extensive per‑device engineering. (globenewswire.com)
• Right now the model and prompts were embedded in the sample, not letting the attacker dynamically reprogram behavior on the fly. But as attackers iterate, we can expect more dynamic patterns: just‑in‑time code snippets, adaptive obfuscation, or model‑assisted social engineering. (globenewswire.com)
• Defenders are also using AI. Google and other vendors are integrating generative models into detection and app review. That creates an arms race where models will be used on both sides — but history shows defensive systems must evolve faster than attackers to keep users safe. (tech.yahoo.com)

My take

PromptSpy should be a wake‑up call, not a panic button. The malware demonstrates a plausible and worrying technique — using an LLM to adapt UI interactions in the wild — but it also highlights where traditional defenses still work: cautious app sourcing, permission hygiene, Play Protect and safe removal procedures. The bigger risk is what comes next, not this single sample: models make it easier to automate tasks that were once fiddly and fragile. Expect attackers to test and reuse these ideas, and expect defenders to double down on detecting model‑assisted behavior.

Security in an era of ubiquitous generative AI is going to be a cat‑and‑mouse game where the mice learned to read maps. Keep your guard up.

Readable summary

• PromptSpy is the first widely reported Android malware to query a generative model (Gemini) at runtime to adapt UI actions for persistence. (globenewswire.com)
• It relies on Accessibility abuse, has a VNC component, and was distributed outside the Play Store. Play Protect reportedly detects known variants. (globenewswire.com)
• Protect yourself by avoiding sideloads, rejecting suspicious Accessibility requests, keeping Play Protect and updates enabled, and using Safe Mode removal if needed. (globenewswire.com)

Sources

• ESET Research discovers PromptSpy, the first Android threat to use generative AI — ESET press release.
  https://www.globenewswire.com/news-release/2026/02/19/3241357/0/en/ESET-Research-discovers-PromptSpy-the-first-Android-threat-to-use-generative-AI.html

• Android malware is now using Google’s own Gemini AI to adapt in real time — Android Authority.
  https://www.androidauthority.com/android-malware-promptspy-uses-generative-ai-gemini-3642832/

• PromptSpy Android malware abuses Google Gemini AI for persistence — CyberInsider (technical breakdown).
  https://cyberinsider.com/promptspy-android-malware-abuses-google-gemini-ai-for-persistence/

• Google says its AI systems helped deter Play Store malware in 2025 — reporting on Play Protect and Google’s stance.
  https://tech.yahoo.com/ai/gemini/articles/google-says-ai-systems-helped-212739930.html

• GTIG AI Threat Tracker: Experimental malware using Gemini for self‑modification — Google Cloud blog (background on LLMs being experimented with in malware).
  https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools

Don’t ditch your Android just yet: why Android 16 gives Pixel and Galaxy owners plenty to cheer about

You know that nervous tingle you get when a new phone OS drops and you start imagining your device exploding into feature-packed life — or, let’s be honest, getting bricked? Android 16 is that update that actually leans toward making daily life easier and safer: urgent-call tags that stop you from ignoring a truly important call, new scam-check workflows that help you verify sketchy messages in the moment, Chrome tab pinning so your “must-return” pages survive battery drains, and a pile of other niceties that matter more than flashy camera bragging rights.

This isn’t just a polish release. Between security guardrails, smart UI tweaks, and deeper collaboration with Samsung, Android 16 nudges the platform into a space where staying with a Pixel or a Galaxy actually feels like a strategic choice — not just brand loyalty.

What changed and why it matters

• Urgent call indicator (Call Reason)
  • You can mark outgoing calls as “urgent”; the recipient sees an indicator on the incoming screen and in call history if missed. It’s a tiny communication upgrade that can save you a lot of follow-up texts and missed opportunities.
• Scam protection and on-call safety
  • Android 16 expands protections that block risky actions during calls (like sideloading or granting accessibility access to unknown apps) and surfaces warnings when a screen-sharing or banking action looks suspicious. Circle-to-Search can summarize whether a message or link looks like a scam, right where you’re reading it.
• Chrome tab pinning on mobile
  • Pin a tab so it stays at the front of your tab strip — even after closing the browser. That’s the desktop behavior many of us missed on phones.
• Expressive captions and notification summaries
  • Real-time captions gain context markers (cheers, applause) and emotional tags; AI notification summaries compress long group chats or message threads into digestible snippets.
• Deeper Samsung collaboration and desktop windowing
  • Google worked closely with Samsung on a desktop/windowed experience (building on DeX), pushing Android toward being a real laptop replacement for some workflows.
• Advanced Protection and security polish
  • Android 16 makes it easier to enable Google’s strongest protections, bundling anti-phishing and app-safety measures into a simpler flow.

Why Pixel and Samsung benefit most

• Speed of rollout and update control
  • Pixels get updates first, and some features debut on Google’s Phone/Gboard/Chrome apps where Google can iterate faster. Samsung’s close collaboration with Google (and its existing DeX work) means many of Android 16’s big productivity bits land on Galaxy devices quickly and work well with Samsung’s hardware features.
• Ecosystem and feature integration
  • Features like Call Reason rely on Google’s Phone app ecosystem; notification summaries and Circle-to-Search tie into Google’s AI services. Pixel owners get first dibs, while Galaxy owners benefit from Samsung’s polish on large-screen and multiwindow features.
• Security and enterprise readiness
  • The Advanced Protection toggle and on-call safeguards make Android a safer place for executives, journalists, and anyone worried about targeted scams — and vendors that move quickly to adopt these features look better for security-conscious buyers.

Real-world wins (and a few caveats)

• Wins
  • Practical safety: preventing a scammer from tricking you into side-loading malware while on a call is the kind of improvement you’ll appreciate the moment you need it.
  • Less friction: pinning tabs and compressed chat summaries reduce cognitive load for frequent multitaskers and people who use phones for work.
  • Accessibility and creative tools: expressive captions and camera/coding improvements make devices more useful for creators and people who rely on captions.
• Caveats
  • Fragmentation still exists: not every Android maker will ship every Google-led feature immediately. Carrier deployments, OEM skins, and regional testing mean your timeline may vary.
  • Early rollouts can be bumpy: like many large OS updates, user reports have shown a mix of smooth upgrades and some bugs on specific devices. Expect patches and minor follow-ups after the initial release.
  • Feature parity: some features require Google apps or specific hardware; cross-brand parity depends on app updates and partner agreements.

A closer look at the scam and call protections

Android 16’s approach to security is practical and context-aware. It doesn’t just add a checkbox — it changes how the phone intervenes:

• It blocks high-risk actions during suspicious calls (e.g., granting accessibility permissions, sideloading apps from untrusted sources).
• It warns users when a banking app is opened while screen-sharing, giving a quick “end call” option.
• Circle-to-Search gives immediate, AI-assisted context when you highlight content that looks fishy, helping you decide whether to trust a link or message.

That combination is the sort of thing that protects everyday users from social-engineering and gives security-minded users more confidence in their phone’s baseline safety.

Who should feel most reassured

• People who use their phones for sensitive work (journalists, lawyers, executives).
• Anyone who handles frequent logistics by phone and hates endless follow-up texts (the urgent-call tag helps here).
• Multitaskers and mobile workers who treat their phone like a mini-laptop and will actually use pinned tabs and desktop windowing.
• Users who appreciate Google’s AI features in Messaging, Chrome, and accessibility tools.

A short comparison with Apple’s approach

Apple focuses on tight hardware-software control and a closed ecosystem; Google is trying to get the best of both worlds — broad device compatibility with consistent, Google-led features where it counts. Android 16 signals Google doubling down on making core experiences (security, calling, AI summaries) less dependent on OEM fragmentation. If this succeeds, Android can offer the kind of uniform enhancements that historically made iPhone owners feel safe choosing Apple.

My take

Android 16 isn’t about flashy headlines — it’s about smoothing the everyday. Those small quality-of-life and security improvements compound: fewer missed urgent calls, fewer successful scams, fewer tab-hunting headaches. For users who prioritize timely updates, integrated AI tools, and strong on-device protections, staying with a Pixel or choosing a Samsung Galaxy with a good update record makes a lot of sense right now.

The real test will be how quickly OEMs besides Samsung adopt Google’s improvements across core apps and how fast Google ships follow-up patches for early issues. But if you’re on the fence about upgrading your hardware or staying in the Android camp, Android 16 gives you legitimate reasons to stick with Pixel or Galaxy — at least for another upgrade cycle.

What to watch next

• OEM and carrier rollout schedules for your specific device.
• Follow-up patches addressing early bugs in the Phone app and other core apps.
• Whether Samsung and other OEMs fully adopt Google’s AI notification summaries and scam-check workflows.

Final thoughts

Android 16 is a pragmatic upgrade: not a revolution, but a thoughtful set of improvements that nudge daily phone use toward being safer, smarter, and less annoying. If you value security and productivity features that actually help in sticky moments, this update makes a strong case for staying with devices that get Google’s features and updates first — especially Pixel and Samsung Galaxy phones.

Sources

• Android 16: Productivity, security and more features on Android — Google Blog.
  https://blog.google/products/android/android-16. (blog.google)

• Android's new 'Call Reason' flags important calls before you even pick up — The Verge.
  https://www.theverge.com/news/836838/android-beta-call-reason. (theverge.com)

• Android 16 update: Expressive captions, urgent tags for calls, scam checks — Business Standard.
  https://www.business-standard.com/technology/tech-news/google-android-16-update-new-features-expressive-captions-urgent-tags-for-calls-scam-check-125120300282_1.html. (business-standard.com)

• Google announces new security features for Android for protection against scam and theft — TechCrunch.
  https://techcrunch.com/2025/05/13/google-announces-new-security-features-for-android-for-protection-against-scam-and-theft/. (techcrunch.com)

• One of Android 16’s best features won’t be locked to Pixel phones — Tom's Guide.
  https://www.tomsguide.com/phones/android-phones/one-of-android-16s-best-features-wont-be-locked-to-pixel-phones-heres-what-we-know. (tomsguide.com)