New Android malware uses Gemini AI to learn how to run on specific devices
New Android malware uses Gemini AI to learn how to run on specific devices
Publish Date: 2026-02-20 10:19:00
Source Domain: www.howtogeek.com
It’s no secret that AI is being added to everything. The companies doing this want us to believe it’s making our lives better, but AI is obviously being used in nefarious ways, too. A new discovery shows that Google’s own Gemini AI is being used to help malware run on various Android devices.
Researchers at ESET Cybersecurity recently uncovered a new type of malware that they’re calling “PromptSpy.” It’s different from malware in the past that has used machine learning. Android devices are all slightly different, and PromptSpy uses generative AI to adapt to each device in real time.
Here’s how it works: Almost all Android devices have some sort of feature that allows users to pin or lock an app to the Recent Apps list (not the same as App Pinning). This ensures that the app will remain running in the background even if the user hasn’t opened it in a while. If an app isn’t pinned, the Android OS will eventually close it to devote resources elsewhere. Malware can use this feature to sneakily stay active in the background.
The problem for malware is that the way devices pin or lock apps varies greatly by manufacturer. So, PromptSpy feeds an XML dump of the current screen to Gemini, and Gemini uses that to identify the device and send the appropriate instructions for how to pin an app back to PromptSpy. It then attempts to pin the app, and it has Gemini double-check that it worked. This happens in a loop until it confirms the app has been successfully pinned.
…
Source
