By A new type of Android malware is making headlines this week, and it is unlike anything security researchers have seen before. Discovered by cybersecurity firm ESET, a malware strain called PromptSpy is the first ever Android malware to use generative AI — specifically Google's own Gemini — to take over your phone. It can record your screen, steal your lock screen PIN, block you from uninstalling it, and hand a remote attacker full control of your device.
While PromptSpy appears to have primarily targeted users in Argentina and may still be in its early stages, the discovery is a clear signal: Android threats are getting smarter. For the millions of Kenyan smartphone users who rely on their phones for mobile banking, M-Pesa transactions, business communication, and everyday life, this is the right moment to take Android security seriously.
This guide walks you through practical, straightforward steps to protect your Android phone in 2026.
What Makes PromptSpy Different — And Why It Matters
Before getting into the how-to steps, it helps to understand why security researchers are paying attention to this threat.
Most Android malware works by hardcoding specific screen coordinates or button locations. The problem is that these coordinates break easily across different phone models, screen sizes, and Android versions. Attackers have had to build separate versions of malware for different devices — an expensive and time-consuming process.
PromptSpy changes that. It sends Google's Gemini a description of whatever is currently on the phone's screen, and Gemini responds with instructions on exactly what the malware should tap or swipe. This means the malware can adapt to virtually any Android device, any screen layout, and any Android version automatically. It is a significant upgrade in how flexible and dangerous mobile malware can be.
Beyond the AI angle, PromptSpy can capture your lock screen PIN, record your screen as a video, take screenshots, block you from uninstalling it using invisible overlays over buttons, and give attackers full remote access to your phone through a VNC module. Importantly, it is distributed through a fake banking app website and has never appeared on the Google Play Store.
The good news is that Google Play Protect already blocks known versions of it. The better news is that the steps that protect you from PromptSpy are the same steps that protect you from the vast majority of Android threats in general.
Step 1: Only Install Apps From the Google Play Store
This one step alone would stop most Android malware, including PromptSpy.
PromptSpy was never on the Play Store. It was distributed through a dedicated website disguised as a banking app. Users who only install apps through the Play Store would never have encountered it in the first place.
In Kenya, it is common to download APK files from WhatsApp groups, Telegram channels, or random websites — especially for apps that are not available locally, paid apps people want for free, or modified versions of popular apps. This habit carries significant risk. APK files downloaded outside the Play Store have not been reviewed by Google's security systems.
To check your settings, go to Settings, then Security, and look for an option called "Install Unknown Apps" or "Unknown Sources." Make sure this is turned off for all apps. On Android 8 and above, you can control this permission on a per-app basis.
Step 2: Keep Google Play Protect Turned On
Google Play Protect is a built-in security feature that scans apps on your phone for malware. It is free, runs automatically in the background, and is one of your best defences against threats like PromptSpy.
ESET confirmed that Play Protect already protects against known versions of PromptSpy. This only works, however, if Play Protect is actually enabled on your device.
To check, open the Play Store app, tap your profile picture in the top right corner, tap "Play Protect," and make sure it shows as active. You can also run a manual scan from this screen. If Play Protect is turned off, turn it back on immediately.
Step 3: Be Very Careful With Accessibility Permissions
This is one of the most important — and most overlooked — security steps on Android.
Accessibility Services are features designed to help people with disabilities use their phones. They allow apps to read what is on the screen, simulate taps and swipes, and interact with other apps. These are powerful capabilities, and malware loves them.
PromptSpy abuses Accessibility Services to place invisible overlays over the "Uninstall" button and other system controls, making it impossible for users to remove it through normal means. Many other Android malware families do the same thing.
You should only grant Accessibility permissions to apps you fully trust and genuinely need them for — such as a screen reader or a password manager like Bitwarden. If a random app you downloaded asks for Accessibility access, that is a major red flag.
To review which apps have Accessibility access on your phone, go to Settings, then Accessibility, then Installed Apps or Downloaded Apps depending on your phone model. If you see any apps there that should not need those permissions, revoke them immediately.
Step 4: Use a Strong Screen Lock
PromptSpy is specifically designed to capture your lock screen PIN and record your unlock pattern as a video. This makes your screen lock your first line of defence.
A six-digit PIN is much stronger than a four-digit one. A strong alphanumeric password is stronger still. Pattern unlocks are the weakest option — they are easy to record and easy to guess from smudge marks on the screen.
Fingerprint authentication is a good complement to a strong PIN because it reduces how often you type your PIN in public. Set it up if your phone supports it, but make sure you still have a strong PIN as a backup since biometrics can be bypassed in some circumstances.
To set or change your screen lock, go to Settings, then Security, then Screen Lock.
Step 5: Keep Your Phone and Apps Updated
Malware frequently exploits security vulnerabilities in outdated versions of Android or popular apps. Keeping your phone updated closes these holes before attackers can use them against you.
Go to Settings, then System, then Software Update, and check for any pending updates. Do the same for your apps by opening the Play Store, tapping your profile picture, and selecting "Manage Apps and Device" to see if any updates are waiting.
Updates are especially important for your browser, banking apps, and any app that handles sensitive data.
Step 6: Watch Out for Fake Banking Apps
PromptSpy disguised itself as a fake Chase Bank app. In Kenya, similar attacks often impersonate M-Pesa, Equity Bank, KCB, or other locally trusted financial platforms.
The signs to watch for include being directed to a website or WhatsApp group to download a banking app rather than finding it on the Play Store, apps that ask for more permissions than necessary (a banking app does not need Accessibility access or the ability to record your screen), slight variations in app names or icons that look almost right but not quite, and messages from strangers or suspicious accounts urging you to install a financial app urgently.
When in doubt, go directly to the official Google Play Store, search for your bank by name, and install only the app listed there with the most downloads and reviews.
Step 7: Use Two-Factor Authentication on Your Important Accounts
Even if malware does manage to steal your password, two-factor authentication (2FA) adds a second layer of defence. An attacker would need both your password and access to your phone or email to log into your account.
Enable 2FA on your Google account, your banking apps, your email, and any other account that supports it. Google Authenticator and Microsoft Authenticator are both solid options for generating one-time codes. Some services will also send a code via SMS, which is better than nothing even though SMS-based 2FA is weaker than app-based options.
To enable 2FA on your Google account, go to myaccount.google.com, click Security, and look for "2-Step Verification."
Step 8: What to Do If You Think Your Phone Is Already Infected
If your phone is behaving strangely — the battery drains unusually fast, the phone is hot when idle, data usage has spiked, or you cannot remove an app — there is a possibility malware is running on it.
For PromptSpy specifically, the only way to remove it through normal means is to reboot your phone into Safe Mode. In Safe Mode, third-party apps are disabled, which means the invisible overlays blocking the Uninstall button will no longer work. You can then go to Settings, then Apps, find the suspicious app, and uninstall it normally.
To boot into Safe Mode on most Android phones, press and hold the power button, then long-press the "Power Off" option until a "Safe Mode" prompt appears. Tap OK. The process varies slightly between manufacturers, so search for "how to boot into safe mode" followed by your specific phone model if the above does not work.
After removing the suspicious app, run a Google Play Protect scan, change all your important passwords, and check your bank accounts for any unusual activity.
If you are not comfortable doing this yourself, take your phone to a trusted phone repair shop or contact your mobile carrier for support.
The Bigger Picture
PromptSpy is being described by researchers as potentially a proof of concept rather than a full-scale attack campaign. But the direction it points in is clear. Attackers are beginning to use AI to make malware more adaptable, more persistent, and harder to detect. This is not a trend that will reverse.
For Kenyan smartphone users, the stakes are high. Our phones are our banks, our businesses, and our connections to family and work. Taking a few minutes to check the settings outlined in this guide is a worthwhile investment.
The steps are not complicated. Stick to the Play Store. Keep Play Protect on. Be stingy with Accessibility permissions. Use a strong screen lock. Update your phone regularly. Those five habits alone will protect you from the overwhelming majority of Android threats in 2026.
Comments