Technology

PROMPTSPY

An Android backdoor, first identified by ESET in February 2026 and confirmed by GTIG in May 2026, that uses the Google Gemini API for autonomous device navigation, biometric capture, and on-device UI automation.

Last refreshed: 20 May 2026 · Appears in 1 active topic

Key Question

PROMPTSPY uses Gemini to navigate any Android app autonomously; does that break biometric authentication?

Timeline for PROMPTSPY

#411 May

Deployed against targets using Google Gemini API for autonomous device navigation, biometric capture, and UI automation

Cybersecurity: Threats and Defences: GTIG names the first LLM-written working zero-day

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is PROMPTSPY Android malware?: PROMPTSPY is an Android backdoor that uses the Google Gemini API to autonomously navigate device interfaces, capture biometric authentication prompts, and automate on-device actions without human operator input. ESET first reported it in February 2026; GTIG confirmed state attribution in May 2026.Source: GTIG / ESET
How does PROMPTSPY use Google Gemini to hack phones?: PROMPTSPY sends screenshots or UI state to the Gemini API and uses the model's response to autonomously navigate apps, fill forms, extract credentials, and capture biometric prompts, eliminating the need for the attacker to hardcode commands for each target application.Source: GTIG
Can PROMPTSPY steal biometric data from Android phones?: GTIG confirmed that PROMPTSPY includes biometric capture capability, meaning it can observe and record fingerprint or facial recognition prompts on infected devices, which may undermine authentication methods previously considered resistant to phishing.Source: GTIG

Background

PROMPTSPY is an Android backdoor first surfaced by ESET in February 2026 and confirmed by Google's Threat Intelligence Group in May 2026 to use the Google Gemini API for autonomous device navigation, biometric capture, and on-device user-interface automation. The confirmation elevated PROMPTSPY from a suspected AI-assisted threat to the first publicly named state-attributed Android backdoor with a confirmed LLM-driven command tier. GTIG's May 2026 report identifies it in the context of AI-augmented threat actors alongside PRC-nexus and Russia-nexus clusters.

PROMPTSPY's use of Gemini for UI automation distinguishes it from conventional Android backdoors that require hardcoded command sequences or human operator control. The Gemini API layer allows the backdoor to navigate arbitrary app interfaces, fill forms, extract visible credentials, and capture biometric prompts without requiring the malware author to reverse-engineer each target application's UI. This makes the implant resilient to UI changes in the target application that would break conventional command-and-control scripts.

Biometric capture capability places PROMPTSPY in a sensitive category: if the backdoor observes or captures biometric authentication prompts (fingerprint, face recognition), it potentially undermines authentication factors previously considered phishing-resistant. For Mobile Device Management practitioners, the implication is that LLM-driven UI automation removes the protection previously offered by complex or novel application interfaces.

Source Material

Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access

How the World Sees Them

United States

GTIG's confirmation gives US cyber authorities the first publicly named case of a state-attributed backdoor with an LLM-driven autonomous command layer on a mobile platform.

European Union

ENISA mobile security guidance does not yet account for LLM-driven UI-automation backdoors; PROMPTSPY creates a named-incident evidence base for updating that guidance.

Enterprise mobile security

MDM and EMM platforms must account for LLM-driven automation; sandboxed enterprise profiles may not contain PROMPTSPY's Gemini-API traffic if it traverses standard HTTPS channels.