{"id":4569,"date":"2026-02-20T16:37:16","date_gmt":"2026-02-20T16:37:16","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/02\/20\/android-malware-hijacks-google-gemini-to-stay-hidden\/"},"modified":"2026-02-20T16:37:16","modified_gmt":"2026-02-20T16:37:16","slug":"android-malware-hijacks-google-gemini-to-stay-hidden","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/02\/20\/android-malware-hijacks-google-gemini-to-stay-hidden\/","title":{"rendered":"Android Malware Hijacks Google Gemini to Stay Hidden"},"content":{"rendered":"
\n
\n

ESET researchers have identified an Android malware implant that uses generative AI (GenAI) for persistence purposes.<\/p>\n

This malicious implant is an advanced version of VNCSpy, a piece of malware that appeared on VirusTotal in January 2026 and was represented by three samples uploaded from Hong Kong.<\/p>\n

VCNSpy is an Android malware implant that deploys a virtual network computing (VNC) module on the victim’s device, allowing attackers to see the screen and perform actions remotely.<\/p>\n

VNC modules are components of screen-sharing technology that enables remote control of another computer using the remote frame buffer (RFB) protocol.<\/p>\n

In February, ESET researchers identified four new malware samples uploaded to VirusTotal from Argentina. Their analysis revealed multistage malware based on VNCSpy but with a malicious payload that leverages Google\u2019s Gemini to analyze the targeted device\u2019s screen and provide the operator with step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list, thus preventing it from being easily swiped away or killed by the system.<\/p>\n

The researchers have named the malware implant PromptSpy.<\/p>\n

Based on the presence of Simplified Chinese elements in the code, ESET assessed \u201cwith medium confidence\u201d that PromptSpy was developed in a Chinese\u2011speaking environment.<\/p>\n

While the security firm noted it hasn\u2019t yet seen any samples of PromptSpy in its telemetry, the existence of a possible distribution domain could suggest the malware has been deployed in the wild.<\/p>\n

Malicious App Impersonating JPMorgan Argentina<\/strong><\/h2>\n

The four PromptSpy dropper samples were distributed through the website mgardownload[.]com, which was already offline during ESET\u2019s analysis.<\/p>\n

After installing and launching PromptSpy dropper, it opened a webpage hosted on m\u2011mgarg[.]com.<\/p>\n

\u201cAlthough this domain was also offline, Google\u2019s cached version revealed that it likely impersonated a Chase Bank (legally, JPMorgan Chase Bank N.A.),\u201d wrote the ESET researchers in a report published on February 19.<\/p>\n

Additionally, the malicious Android app distributing PromptSpy is called \u2018MorganArg,\u2019 which suggests it purports to be \u2018Morgan Argentina.\u2019 The app\u2019s icon is inspired by Chase bank.<\/p>\n

The malicious app is linked to a spoofed Spanish website, with an \u201cIniciar session\u201d (Login) button, indicating that the page was probably intended to mimic a bank website.<\/p>\n

The MorganArg app is a trojan that functions as a companion application developed by the same threat actor behind VNCSpy and PromptSpy.<\/p>\n

In the background, the trojan contacts its server to request a configuration file, which includes a link to download another Android package kit (APK) \u2013 the file format for Android applications \u2013 presented to the victim, in Spanish, as an update.<\/p>\n<\/p><\/div>\n

\"Malware\u2019s
Malware\u2019s initial screen that requests to install PromptSpy payload. Source: ESET<\/figcaption><\/figure>\n
\n

The configuration server was no longer accessible during ESET\u2019s analysis, so the exact download URL remains unknown.<\/p>\n

\u201cHowever, given that it uses the same unique bank spoofing website, the same app name, icon, and, most importantly, is signed by the same unique developer certificate as the PromptSpy dropper, we strongly suspect this app may serve as the initial stage designed to lead victims toward installing PromptSpy.<\/p>\n

Both VNCSpy and PromptSpy include a VNC component, giving their operators full remote access to compromised devices once victims enable Accessibility Services.<\/p>\n

This allows the malware operators to see everything happening on the device and to perform taps, swipes, gestures and text input as though they were physically holding the phone.<\/p>\n

Gemini AI Helps Maintaining Persistence <\/strong><\/h2>\n

PromptSpy also integrates an AI\u2011assisted user interface (UI) manipulation feature, helping it maintain persistence by keeping the malicious app pinned in the recent apps list<\/p>\n

\u201cWe believe this functionality is used before the VNC session is established, so that the user or system will not kill the PromptSpy activity from the list of recent apps,\u201d the ESET researchers wrote.<\/p>\n

The researchers explained that Android malware usually depends on hardcoded screen features such as taps, coordinates, or UI selectors and that these methods are dependent on UI changes across devices, OS versions or manufacturer skins.<\/p>\n

PromptSpy\u2019s Gemini-powered feature aims to achieve persistence by staying embedded in the list of recent apps by executing the \u201clock app in recent apps\u201d gesture, which varies between devices and manufacturers. This makes it difficult to automate with fixed scripts traditionally used by Android malware.<\/p>\n

Once installed and launched, PromptSpy requests \u2018Accessibility Service\u2019 permissions, giving the malware the ability to read on\u2011screen content and perform automated clicks.<\/p>\n

Then, while showing a simple loading-style decoy screen in the foreground. The malware begins communicating with Gemini AI to obtain instructions needed to lock its process in the \u2018Recent Apps\u2019 list.<\/p>\n<\/p><\/div>\n

\"Not
Not locked (left) and locked (right) MorganArg app in the list of recent apps, with the padlock icon representing the lock. Source: ESET<\/figcaption><\/figure>\n
\n

When the user sees the \u2018Loading, please wait\u2019 activity, PromptSpy uses Accessibility Services to open the \u2018Recent Apps\u2019 screen and collect detailed UI information: visible text, content descriptions, class names, package names and screen bounds.<\/p>\n

It serializes this dynamic UI snapshot as XML and includes it in its prompt to Gemini. Gemini then returns step-by-step tap instructions on how to achieve the \u2018app lock\u2019 gesture.<\/p>\n

This process forms a continuous loop:<\/p>\n

    \n
  1. PromptSpy sends updated UI context to Gemini<\/li>\n
  2. Gemini replies with new actions<\/li>\n
  3. PromptSpy executes them and returns the resulting screen state<\/li>\n<\/ol>\n

    The loop continues until Gemini confirms that the app is successfully locked in recent apps.<\/p>\n

    All actions suggested by Gemini (taps, swipes, navigation) are executed through \u2018Accessibility Services,\u2019 allowing the malware to interact with the device without user input.<\/p>\n

    The malware communicates with its hardcoded command\u2011and\u2011control (C2) server at 54.67.2[.]84 using the VNC protocol. The messages are AES-encrypted using a hardcoded key.<\/p>\n

    Through this communication channel, the malware can:<\/p>\n