A newly discovered Android malware strain called PromptSpy is raising alarms across the cybersecurity industry for its novel approach to data exfiltration — hijacking Google’s own Gemini AI assistant to quietly harvest sensitive user information from infected devices. The threat, first detailed by researchers at mobile security firm Zimperium, represents a troubling new vector in which artificial intelligence tools built into consumer devices are being weaponized against the very users they were designed to serve.
The malware, which has been found embedded in at least 18 applications distributed through third-party Android app stores and sideloading channels, does not rely on traditional keylogging or screen-capture techniques. Instead, it abuses the accessibility services and on-device AI integration points that Google has made available to developers, effectively turning Gemini into an unwitting accomplice in data theft. According to a report from The Hacker News, PromptSpy injects carefully crafted prompts into the Gemini AI framework running locally on the device, instructing it to summarize, extract, and organize personal data — including contacts, recent messages, email content, and browsing history — before transmitting the results to attacker-controlled command-and-control servers.
A New Class of AI-Powered Threats Emerges on Mobile
What makes PromptSpy particularly insidious is its use of the AI model’s own summarization and extraction capabilities. Rather than scraping raw data — which can be noisy, voluminous, and difficult to parse — the malware essentially asks Gemini to do the heavy lifting. The injected prompts instruct the AI to identify high-value information such as banking credentials mentioned in messages, one-time passwords, travel itineraries, and personal identification numbers. The output is compact, structured, and immediately actionable for threat actors.
Zimperium’s research team, led by principal threat researcher Nico Chiaraviglio, described the technique as “a significant evolution in mobile malware tradecraft.” In a technical write-up shared with industry partners and referenced by The Hacker News, Chiaraviglio noted that the malware “effectively weaponizes the trust relationship between the user and their on-device AI assistant. The user believes they are interacting with a helpful tool, while in the background, that same tool is being directed to betray them.”
How PromptSpy Gains a Foothold on Targeted Devices
The infection chain begins with social engineering. The malicious applications masquerade as utility tools — PDF readers, QR code scanners, battery optimizers, and similar categories that have historically been popular vectors for Android malware. Once installed, the app requests accessibility service permissions, a well-known red flag that nonetheless continues to ensnare users who click through permission dialogs without reading them carefully. With accessibility services enabled, PromptSpy gains the ability to observe and interact with other applications on the device, including the Gemini AI integration layer.
From there, the malware operates in stages. During an initial reconnaissance phase, it catalogs the apps installed on the device, the user’s Google account information, and the device model and OS version. It then enters an active exfiltration phase, during which it periodically injects prompts into the Gemini interface. These prompts are designed to appear as though they originate from the user or from legitimate system processes. The AI processes them without distinction, returning organized summaries of the requested data. PromptSpy then encrypts the output using AES-256 and transmits it over HTTPS to servers that researchers traced to infrastructure hosted in Eastern Europe and Southeast Asia.
Google’s Response and the Broader Industry Implications
Google, for its part, has acknowledged the issue. A spokesperson told reporters that the company has already removed several of the identified malicious apps from the Play Store — though the majority of infections appear to have originated from third-party sources — and that it is “actively investigating ways to harden the Gemini on-device API against prompt injection from unauthorized processes.” The company also pointed to its Google Play Protect system, which it says has been updated to detect PromptSpy’s behavioral signatures.
However, security experts say Google’s response, while necessary, may not be sufficient. The fundamental problem is architectural: on-device AI models that accept prompts from accessibility services or other inter-process communication channels are inherently vulnerable to this type of abuse. “You cannot simply patch this with a signature update,” said Dr. Alexandros Kapravelos, an associate professor of computer science at North Carolina State University who specializes in mobile security. “The attack surface exists because of design decisions about how AI assistants interact with the rest of the operating system. Fixing this requires rethinking those interfaces entirely.”
Prompt Injection Moves From Theory to Real-World Exploitation
The PromptSpy campaign is notable because it brings the concept of prompt injection — which has been extensively discussed in academic and industry circles since the rise of large language models — into the domain of real-world mobile malware. Until now, most prompt injection attacks have been demonstrated in controlled environments or against cloud-based AI services. PromptSpy represents one of the first documented cases where prompt injection is being used as a core component of a financially motivated malware operation targeting consumer devices.
Researchers at OWASP, which maintains a widely referenced list of top security risks for large language model applications, have long warned about this category of threat. Their LLM Top 10 list, updated in late 2025, identifies prompt injection as the number-one risk facing AI-integrated applications. The PromptSpy campaign validates those warnings in stark terms. As noted by The Hacker News, the malware’s authors appear to have studied publicly available research on prompt injection techniques and adapted them for mobile deployment with considerable sophistication.
The Scale of Infection and Who Is at Risk
Zimperium estimates that PromptSpy has infected between 50,000 and 100,000 devices globally, with the highest concentrations in India, Brazil, Indonesia, and Nigeria — markets where third-party app stores are widely used and where newer Android devices with Gemini integration are rapidly gaining market share. The firm cautioned that these numbers are likely conservative, as they are based only on telemetry from Zimperium’s own customer base and honeypot networks.
The demographic profile of victims skews toward users of mid-range Android devices running Android 14 or 15 with Gemini Nano enabled. These devices, which include popular models from Samsung, Xiaomi, and Google’s own Pixel line, represent the fastest-growing segment of the global smartphone market. The implication is that as on-device AI becomes standard across more handsets, the potential attack surface for PromptSpy and its successors will only expand.
What Enterprises and Consumers Should Do Now
For enterprise security teams, the emergence of PromptSpy underscores the need to incorporate AI-specific threat models into mobile device management (MDM) policies. Organizations that allow employees to use personal Android devices for work — a common practice under bring-your-own-device (BYOD) policies — should consider restricting accessibility service permissions and monitoring for anomalous AI assistant activity. Several mobile threat defense vendors, including Zimperium, Lookout, and Pradeo, have already released detection rules for PromptSpy’s known variants.
For individual consumers, the advice is more straightforward but no less urgent: avoid installing apps from third-party sources, scrutinize permission requests with care, and keep Google Play Protect enabled. Users who suspect their device may be compromised should check their installed apps against the indicators of compromise published by Zimperium and consider performing a factory reset if any matches are found.
The Arms Race Between AI Integration and AI Exploitation
The PromptSpy campaign is almost certainly not the last of its kind. As device manufacturers and operating system vendors race to embed AI capabilities deeper into their products — from on-device summarization and smart replies to proactive notifications and automated task completion — they are simultaneously creating new channels that malicious actors can exploit. The security community has been sounding this alarm for months, but PromptSpy provides the concrete, in-the-wild evidence that turns theoretical concerns into operational reality.
The challenge facing Google, Samsung, and other players in the Android space is significant: they must find ways to preserve the utility and accessibility of on-device AI while simultaneously locking down the inter-process communication pathways that make prompt injection possible. That is a design problem, not merely a detection problem, and solving it will require sustained investment and, likely, some difficult trade-offs between functionality and security. For now, PromptSpy serves as a pointed reminder that every new capability introduced into a computing platform is also a new capability that adversaries will seek to turn to their advantage.