The cybersecurity community got a wake-up call this week. Researchers at ESET disclosed PromptSpy, the first documented Android malware that weaponises a commercial large language model (in this case, Google's Gemini) as part of its core execution loop. It's not a theoretical risk anymore. Attackers are already using the same AI tools your employees rely on to evade detection, persist on devices, and steal credentials at scale.
If you're responsible for security or governance in an enterprise that uses AI (which, at this point, is virtually every enterprise) this is the story you need to understand.
What PromptSpy actually does
At a surface level, PromptSpy looks like plenty of other mobile trojans: it captures lockscreen PINs, takes screenshots, records screen activity, and opens a remote-access backdoor via VNC. Standard fare for financially motivated malware.
What makes it different is how it achieves persistence. Rather than relying on hardcoded coordinates or device-specific hacks (which break whenever a manufacturer tweaks a UI), PromptSpy sends a screenshot of the current Android screen to Gemini along with an XML dump of every UI element. It asks the model, cast as an "Android automation assistant", to return step-by-step JSON instructions for keeping the malicious app pinned in the recent apps list so the system can't kill it.
The model responds. The malware follows the instructions. If the device has a different screen size, a custom launcher, or a newer OS version, it doesn't matter. PromptSpy adapts in real-time because the LLM adapts.
In the security research community, this is being described as the moment AI-assisted malware went from "interesting proof of concept" to "shipping product."
Why this is a bigger deal than it looks
Malware analysts have long warned that generative AI would lower the barrier for attackers. But the assumption was that AI would primarily help with social engineering, writing more convincing phishing emails, generating deepfake voice clips, that kind of thing. PromptSpy shows something more fundamental: AI can automate the operational side of an attack.
Think about what that means. Traditional malware has to be tested against specific device configurations. Developers write different code paths for Samsung, Pixel, Xiaomi. They handle different Android versions separately. PromptSpy doesn't bother with any of that. It outsources the problem to a model that already understands how Android UIs work across every device on the planet.
This pattern will generalise. If an LLM can navigate a mobile interface to achieve persistence, it can navigate enterprise software to exfiltrate data. It can adapt to different security tools. It can respond to detection attempts by changing its behaviour based on what it sees on screen.
The Shadow AI connection
Here's where this gets directly relevant to enterprise security teams. PromptSpy uses a public AI API (Gemini) to power its attacks. It obtains an API key from its command-and-control server and makes standard API calls. From a network perspective, the traffic looks like any other API call to Google's AI infrastructure.
Now think about your organisation. How many of your employees are making API calls to Gemini, ChatGPT, Claude, or other AI services? If you're like most enterprises, you don't have a complete answer. That's the Shadow AI problem: unapproved, unmonitored AI usage flowing through your network, indistinguishable from legitimate traffic.
PromptSpy exploits the exact same blind spot. When every app, every service, and now every piece of malware is making LLM API calls, the ability to distinguish legitimate from malicious AI traffic becomes a core security requirement. Not a nice-to-have. A requirement.
What enterprises should do right now
The emergence of AI-powered malware doesn't change the fundamentals of good security, but it does raise the urgency on several fronts:
Gain visibility into AI usage across your organisation. You can't secure what you can't see. Map which AI tools and APIs are being used, by whom, and for what. This applies to both sanctioned tools and the long tail of Shadow AI that employees adopt on their own.
Treat AI API traffic as a security telemetry source. Network monitoring should flag unusual patterns in AI API calls: unexpected endpoints, abnormal volumes, calls from devices or processes that shouldn't be making them. PromptSpy's traffic to Gemini would have been detectable with proper AI traffic analysis.
Update your threat models. If your current threat model doesn't include "attacker uses commercial LLM to adapt malware behaviour at runtime," it's out of date. Red team exercises should include AI-assisted attack scenarios.
Implement AI governance that covers the full lifecycle. Policy alone isn't enough. You need technical controls that monitor AI interactions, flag anomalies, and enforce usage boundaries in real-time, not just at provisioning time.
Educate your people. The PromptSpy dropper arrives via a convincing fake banking website. Social engineering remains the entry point. Training that helps employees recognise suspicious apps and installation prompts is still your first line of defence.
The uncomfortable truth
We've spent the last two years celebrating what AI can do for productivity, creativity, and innovation. And rightly so, the technology is remarkable. But PromptSpy is a reminder that every capability we give to defenders, we're simultaneously giving to attackers. The same LLM that helps your team write code, analyse data, and automate workflows can help malware navigate security controls.
This isn't a reason to slow down AI adoption. It's a reason to take AI governance seriously. Organisations that understand their AI footprint, monitor their AI traffic, and build governance frameworks around AI usage will be far better positioned to detect and respond to threats like PromptSpy.
The ones that don't will be navigating blind in a landscape where the threats just got significantly smarter.
Aona AI helps enterprises discover and govern AI usage across their organisation, including the Shadow AI tools that traditional security misses. Learn more about how we approach AI governance.
