Researchers have discovered the first known Android malware to use generative AI in its execution flow, using Google’s Gemini model to adapt its persistence across different devices.

In a report today, ESET researcher Lukas Stefanko explains how a new Android malware family named “PromptSpy” is abusing the Google Gemini AI model to help it achieve persistence on infected devices.

“In February 2026, we uncovered two versions of a previously unknown Android malware family,” explains ESET.

“The first version, which we named VNCSpy, appeared on VirusTotal on January 13th, 2026 and was represented by three samples uploaded from Hong Kong. On February 10th, 2026, four samples of more advanced malware based on VNCSpy were uploaded to VirusTotal from Argentina.”

First known Android malware to use generative AI

While machine learning models have previously been used by Android malware to analyze screenshots for ad fraud, ESET says that PromptSpy is the first known case of Android malware integrating generative AI directly into its execution.

On some Android devices, users can “lock” or “pin” an app in the Recent Apps list by long-pressing it and selecting a lock option. When an app is locked this way, Android is less likely to terminate it during memory cleanup or when the user taps “Clear all.”

For legitimate apps, this prevents background processes from being killed. For malware like PromptSpy, it can serve as a persistence mechanism.

However, the method used to lock or pin an app varies between manufacturers, making it hard for malware to script the right way to do so on every device. That is where AI comes into play.

PromptSpy sends Google’s Gemini model a chat prompt along with an XML dump of the current screen, including the visible UI elements, text labels, class types, and screen coordinates.

Gemini then responds with JSON-formatted instructions describing the action to take on the device to pin the app.

The malware executes the action through Android’s Accessibility Service, retrieves the updated screen state, and sends it back to Gemini in a loop until the AI confirms that the app has been successfully locked in the recent apps list.

“Even though PromptSpy uses Gemini in just one of its features, it still demonstrates how incorporating these AI tools can make malware more dynamic, giving threat actors ways to automate actions that would normally be more difficult with traditional scripting,” explains ESET.

While the use of an AI LLM for run-time changes to behavior is novel, PromptSpy’s primary functionality is to act as spyware.

The malware includes a built-in VNC module that allows the threat actors to gain full remote access to devices with Accessibility permissions are granted.

Using this access, the threat actors can view and control the Android screen in real time.

According to ESET, the malware can:

• Upload a list of installed apps
• Intercept lockscreen PINs or passwords
• Record the pattern unlock screen as a video
• Capture screenshots on demand
• Record screen activity and user gestures
• Report the current foreground application and screen status

To make removal harder, when users attempt to uninstall the app or turn off Accessibility permissions, the malware overlays transparent, invisible rectangles over UI buttons that display strings like “stop,” “end,” “clear,” and “Uninstall.”

When a user taps the button to stop or uninstall the app, they will instead tap the invisible button, which blocks removal.

Unclear if its a proof-of-concept malware

Stefanko says that victims must reboot into Android Safe Mode so that third-party apps are disabled and cannot block the malware’s uninstall.

ESET told BleepingComputer that it has not yet observed PromptSpy or its dropper in its telemetry, so it is unclear whether the malware is a proof-of-concept.

“We haven’t seen any signs of the PromptSpy dropper or its payload in our telemetry so far, which could mean they’re only proofs of concept,” Stefanko told BleepingComputer.

However, as VirusTotal indicates that several samples were previously distributed via the dedicated domain mgardownload[.]com and used a web page on m-mgarg[.]com to impersonate JPMorgan Chase Bank, it may have been used in actual attacks.

“Still, because there appears to be a dedicated domain that was used to distribute them, and fake bank website, we can’t rule out the possibility that both the dropper and PromptSpy are or were in the wild,” Štefanko added.

While the distribution of this malware appears very limited, it demonstrates how threat actors are using generative AI to not only create attacks and phishing sites, but also to modify malware behavior in real time.

Earlier this month, Google Threat Intelligence reported that state-sponsored hackers are also using Google’s Gemini AI model to support all stages of their attacks, from reconnaissance to post-compromise actions.

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Get the guide

Meta is formally sectioning off Horizon Worlds, the closest thing it has to a metaverse, from its Quest VR platform, according to a new blog post from Samantha Ryan, Meta’s VP of Content, Reality Labs. While the decision runs counter to Meta’s original plan to own an immersive virtual world that could serve as the future home for all online interaction, it fits with the recent cuts it made to its costly Reality Labs division, and Mark Zuckerberg’s public commitment to focus the company on AI hardware like smart glasses going forward.

“We’re explicitly separating our Quest VR platform from our Worlds platform in order to create more space for both products to grow,” Ryan writes in the blog post. “We’re doubling down on the VR developer ecosystem while shifting the focus of Worlds to be almost exclusively mobile. By breaking things down into two distinct platforms, we’ll be better able to clearly focus on each.”

Meta has been developing mobile and web versions of Horizon Worlds in parallel with its VR app since at least 2023. Switching Worlds to being a mobile-first software platform isn’t good for VR diehards, but it does make it a more natural competitor to something like Roblox or Fortnite, which also offer user-created and monetizable worlds and games. It’s also a business Meta believes it can more easily scale because of its ability to connect games to “billions of people on the world’s biggest social networks.”

While Meta shuttered several of its own VR game studios earlier this year, it still wants to support third-party developers publishing games on its platform. The company says new monetization tools, better discoverability, a “Deals” tab and more ways for developers to talk to their customers should help make a difference. Maintaining the Quest’s library of games could also be critical going forward. Business Insider reported in December 2025 that Meta was working on a gaming-focused Quest headset, and Meta CTO Andrew Bosworth confirmed earlier this February that the company still had multiple Quest devices on its roadmap.

Call of Duty: Warzone Mobile will go offline on April 17, 2026, as Activision confirms the permanent shutdown of its mobile battle royale spin-off and ends server access for all players worldwide.

Activision confirmed the closure as the final stage of previously announced service changes, marking the complete end of a project that aimed to extend the Warzone ecosystem to Android and iOS devices.

The shutdown follows months of restricted access, as the game disappeared from official storefronts in May 2025, effectively preventing new downloads through both Google Play and Apple’s App Store.

CX platforms process billions of unstructured interactions a year: Survey forms, review sites, social feeds, call center transcripts, all flowing into AI engines that trigger automated workflows touching payroll, CRM, and payment systems. No tool in a security operation center leader’s stack inspects what a CX platform’s AI engine is ingesting, and attackers figured this out. They poison the data feeding it, and the AI does the damage for them.

The Salesloft/Drift breach in August 2025 proved exactly this. Attackers compromised Salesloft’s GitHub environment, stole Drift chatbot OAuth tokens, and accessed Salesforce environments across 700+ organizations, including Cloudflare, Palo Alto Networks, and Zscaler. It then scanned stolen data for AWS keys, Snowflake tokens, and plaintext passwords. And no malware was deployed.

That gap is wider than most security leaders realize: 98% of organizations have a data loss prevention (DLP) program, but only 6% have dedicated resources, according to Proofpoint’s 2025 Voice of the CISO report, which surveyed 1,600 CISOs across 16 countries. And 81% of interactive intrusions now use legitimate access rather than malware, per CrowdStrike’s 2025 Threat Hunting Report. Cloud intrusions surged 136% in the first half of 2025.

“Most security teams still classify experience management platforms as ‘survey tools,’ which sit in the same risk tier as a project management app,” Assaf Keren, chief security officer at Qualtrics and former CISO at PayPal, told VentureBeat in a recent interview. “This is a massive miscategorization. These platforms now connect to HRIS, CRM, and compensation engines.” Qualtrics alone processes 3.5 billion interactions annually, a figure the company says has doubled since 2023. Organizations can’t afford to skip steps on input integrity once AI enters the workflow.

VentureBeat spent several weeks interviewing security leaders working to close this gap. Six control failures surfaced in every conversation.

Six blind spots between the security stack and the AI engine

1. DLP cannot see unstructured sentiment data leaving through standard API calls

Most DLP policies classify structured personally identifiable information (PII): names, emails, and payment data. Open-text CX responses contain salary complaints, health disclosures, and executive criticism. None matches standard PII patterns. When a third-party AI tool pulls that data, the export looks like a routine API call. The DLP never fires.

2. Zombie API tokens from finished campaigns are still live

An example: Marketing ran a CX campaign six months ago, and the campaign ended. But the OAuth tokens connecting the CX platform to HRIS, CRM and payment systems were never revoked. That means each one is a lateral movement path sitting open.

JPMorgan Chase CISO Patrick Opet flagged this risk in his April 2025 open letter, warning that SaaS integration models create “single-factor explicit trust between systems” through tokens “inadequately secured … vulnerable to theft and reuse.”

3. Public input channels have no bot mitigation before data reaches the AI engine

A web app firewall inspects HTTP payloads for a web application, but none of that coverage extends to a Trustpilot review, a Google Maps rating, or an open-text survey response that a CX platform ingests as legitimate input. Fraudulent sentiment flooding those channels is invisible to perimeter controls. VentureBeat asked security leaders and vendors whether anyone covers input channel integrity for public-facing data sources feeding CX AI engines; it turns out that the category does not exist yet.

4. Lateral movement from a compromised CX platform runs through approved API calls

“Adversaries aren’t breaking in, they’re logging in,” Daniel Bernard, chief business officer at CrowdStrike, told VentureBeat in an exclusive interview. “It’s a valid login. So from a third-party ISV perspective, you have a sign-in page, you have two-factor authentication. What else do you want from us?”

The threat extends to human and non-human identities alike. Bernard described what follows: “All of a sudden, terabytes of data are being exported out. It’s non-standard usage. It’s going places where this user doesn’t go before.” A security information and event management (SIEM) system sees the authentication succeed. It does not see that behavioral shift. Without what Bernard called “software posture management” covering CX platforms, the lateral movement runs through connections that the security team already approved.

5. Non-technical users hold admin privileges nobody reviews

Marketing, HR and customer success teams configure CX integrations because they need speed, but the SOC team may never see them. Security has to be an enabler, Keren says, or teams route around it. Any organization that cannot produce a current inventory of every CX platform integration and the admin credentials behind them has shadow admin exposure.

6. Open-text feedback hits the database before PII gets masked

Employee surveys capture complaints about managers by name, salary grievances and health disclosures. Customer feedback is just as exposed: account details, purchase history, service disputes. None of this hits a structured PII classifier because it arrives as free text. If a breach exposes it, attackers get unmasked personal information alongside the lateral movement path.

Nobody owns this gap

These six failures share a root cause: SaaS security posture management has matured for Salesforce, ServiceNow, and other enterprise platforms. CX platforms never got the same treatment. Nobody monitors user activity, permissions or configurations inside an experience management platform, and policy enforcement on AI workflows processing that data does not exist. When bot-driven input or anomalous data exports hit the CX application layer, nothing detects them.

Security teams are responding with what they have. Some are extending SSPM tools to cover CX platform configurations and permissions. API security gateways offer another path, inspecting token scopes and data flows between CX platforms and downstream systems. Identity-centric teams are applying CASB-style access controls to CX admin accounts.

None of those approaches delivers what CX-layer security actually requires: continuous monitoring of who is accessing experience data, real-time visibility into misconfigurations before they become lateral movement paths, and automated protection that enforces policy without waiting for a quarterly review cycle.

The first integration purpose-built for that gap connects posture management directly to the CX layer, giving security teams the same coverage over program activity, configurations, and data access that they already expect for Salesforce or ServiceNow. CrowdStrike’s Falcon Shield and the Qualtrics XM Platform are the pairing behind it. Security leaders VentureBeat interviewed said this is the control they have been building manually — and losing sleep over.

The blast radius security teams are not measuring

Most organizations have mapped the technical blast radius. “But not the business blast radius,” Keren said. When an AI engine triggers a compensation adjustment based on poisoned data, the damage is not a security incident. It is a wrong business decision executed at machine speed. That gap sits between the CISO, the CIO and the business unit owner. Today no one owns it.

“When we use data to make business decisions, that data must be right,” Keren said.

Run the audit, and start with the zombie tokens. That is where Drift-scale breaches begin. Start with a 30-day validation window. The AI will not wait.

Nvidia is stepping up efforts to court India’s artificial intelligence startups earlier in their lifecycle, unveiling a string of partnerships this week aimed at reaching founders even before their companies are formally established. The push is intended to help the AI chipmaker cultivate relationships with future customers in one of the world’s fastest-growing developer markets.

The latest move comes through a partnership with early-stage venture firm Activate, which plans to back about 25 to 30 AI startups from its $75 million debut fund while giving portfolio companies preferential access to Nvidia’s technical expertise. The collaboration follows other India-focused efforts unveiled this week, including work with nonprofit AI Grants India to support early-stage founders and new ties with venture firms focused on the South Asian nation.

The flurry of activity comes as India hosts its AI Impact Summit in New Delhi, drawing top technology companies including OpenAI, Anthropic, and Google. Nvidia Chief Executive Jensen Huang was slated to attend but skipped the event due to what the company called unforeseen circumstances. A senior delegation led by executive vice president Jay Puri attended in his place, meeting AI researchers, startups, developers, and partners on the ground.

India has emerged as one of the fastest-growing pools of AI developers and startups, making it an increasingly important market for Nvidia as it looks to expand adoption of chips and computing software. By working more closely with founders at the earliest stages, the company is positioning itself to capture long-term demand as new AI-native companies scale.

Aakrit Vaish, founder of Activate, said Nvidia’s engagement with startups in India has historically been relatively light-touch compared with the U.S., but the chipmaker is now looking to work with founders much earlier in their journey. Activate aims to leverage that shift by connecting portfolio startups directly with Nvidia experts.

The VC firm, which Vaish describes as focused on “inception investing,” meets technical teams months before company formation and works closely with them as they grow. Its backers include venture capitalist Vinod Khosla, Perplexity co-founder Aravind Srinivas, Peak XV managing director Shailendra Singh, and Paytm CEO Vijay Shekhar Sharma, underlining the prominent network Activate is assembling around its early-stage strategy.

For Nvidia, the logic behind partnering with an early-stage venture firm is straightforward: the earlier it builds relationships with promising AI startups, the more likely those companies are to rely on its computing infrastructure as they scale. Vaish told TechCrunch that growing startups typically consume increasing amounts of AI compute over time, making early technical engagement valuable for the chipmaker as a way of generating future business.

Nvidia already has a sizable presence in the country through its Inception program, which supports more than 4,000 startups in India. This week, the chipmaker also expanded its local ecosystem ties, including partnerships with venture firms such as Accel, Peak XV, Z47, Elevation Capital, and Nexus Venture Partners to identify and fund AI startups. It separately teamed up with AI Grants India, co-founded by Vaibhav Domkundwar and Bhasker (Bosky) Kode, to support more than 10,000 early-stage founders over the next 12 months.

The company has also been broadening its startup outreach in India over time. In November 2025, Nvidia joined the India Deep Tech Alliance, a consortium of U.S. and Indian investors including Accel, Blume Ventures, Premji Invest, and Celesta Capital, to provide strategic and technical guidance to emerging startups in the country.

Vaish said Activate’s partnership with Nvidia is designed to provide a more curated layer on top of the company’s broad-based Inception program, which serves thousands of startups globally. By serving as an early filter for high-potential technical teams, Activate aims to give its portfolio companies more direct, timely access to Nvidia’s engineering expertise.

The stepped-up activity underscores intensifying competition among global technology firms to court AI developers and startups in India, which has become one of the fastest-growing pools of technical talent outside the U.S.

More money has been invested in AI than it took to land on the moon. Spending on the technology this year is projected to reach up to $700 billion, almost double last year’s spending. Part of the impetus for this frantic outlay is a conviction among investors and policymakers in the United States that it needs to “beat China.” Indeed, headlines have long cast AI development as a zero-sum rivalry between the U.S. and China, framing the technology’s advance as an arms race with a defined finish line. The narrative implies speed, symmetry, and a common objective.

But a closer look at AI development in the two countries shows they’re not only not racing toward the same finish line: “The U.S. and China are running in very different lanes,” says Selina Xu, who leads China and AI policy research for Eric Schmidt, the tech investor, philanthropist and former Google chief, in New York City. “The U.S. is doubling down on scaling,” in pursuit of artificial general intelligence (AGI) Xu says, “while for China it’s more about boosting economic productivity and real-world impact.”

Lumping the U.S. and China onto a single AI scoreboard isn’t just inaccurate, it can impact policy and business decisions in a harmful way. “An arms race can become a self-fulfilling prophecy,” Xu says. “If companies and governments all embrace a ‘race to the bottom’ mentality, they will eschew necessary security and safety guardrails for the sake of being ahead. That increases the odds of AI-related crises.”

Where’s the Real Finish Line?

As machine learning advanced in the 2010s, prominent public figures such as Stephen Hawking and Elon Musk warned that it would be impossible to separate AI’s general-purpose potential from its military and economic implications, echoing Cold War–era frameworks for strategic competition. “An arms race is an easy way to think about this situation even if it’s not exactly right,” says Karson Elmgren, a China researcher at the Institute for AI Policy and Strategy, a think tank in San Francisco. Frontier labs, investors, and media benefit from simple, comparable progress metrics, like larger models, better benchmarks, and more computing power, so they favor and compound the arms race framing.

Artificial general intelligence is the implied “finish line” if AI is an arms race. But one of the many problems with an AGI finish line is that by its very nature, a machine superintelligence would be smarter than humans and therefore impossible to control. “If superintelligence were to emerge in a particular country, there’s no guarantee that that country’s interests are going to win,” says Graham Webster, a China researcher at Stanford University, in Palo Alto, California.

An AGI finish line also assumes the U.S. and China are both optimizing for this goal and putting the majority of their resources towards it. This isn’t the case, as the two countries have starkly different economic landscapes.

When Is the Payoff?

After decades of rapid growth, China is now facing a grimmer reality. “China has been suffering through an economic slowdown for a mixture of reasons, from real estate to credit to consumption and youth unemployment,” says Xu, adding that the country’s leaders have been “trying to figure out what is the next economic driver that can get China to sustain its growth.”

Enter AI. Rather than pouring resources into speculative frontier models, Beijing has a pressing incentive to use the technology as a more immediate productivity engine. “In China we define AI as an enabler to improve existing industry, like healthcare, energy, or agriculture,” says AI policy researcher Liang Zheng, of Tsinghua University in Beijing, China. “The first priority is to use it to benefit ordinary people.”

To that end, AI investment in China is focused on embedding the technology into manufacturing, logistics, energy, finance, and public services. “It’s a long-term structural change, and companies must invest more in machines, software, and digitalization,” Liang says. “Even very small and medium enterprises are exploring use of AI to improve their productivity.”

China’s AI Plus initiative encourages using AI to boost efficiency. “Having a frontier technology doesn’t really move China towards an innovation-led developed economy,” says Kristy Loke, a fellow at MATS Research who focuses on China’s AI innovation and governance strategies. Instead, she says, “It’s really important to make sure that [these tools] are able to meet the demands of the Chinese economy, which are to industrialize faster, to do more smart manufacturing, to make sure they’re producing things in competitive processes.”

Automakers have embraced intelligent robots in “dark factories” with minimal human intervention; as of 2024, China had around five times more factory robots in use than the U.S. “We used to use human eyes for quality control and it was very inefficient,” says Liang. Now, computer vision systems detect errors and software predicts equipment failures, pausing production and scheduling just-in-time maintenance. Agricultural models advise farmers on crop selection, planting schedules, and pest control.

In healthcare, AI tools triage patients, interpret medical images, and assist diagnoses; Tsinghua is even piloting an AI “Agent Hospital” where physicians work alongside virtual clinical assistants. “In hospitals you used to have to wait a long time, but now you can use your agent to make a precise appointment,” Liang says. Many such applications use simpler “narrow AI” designed for specific tasks.

AI is also increasingly embedded across industries in the U.S., but the focus tends toward service-oriented and data-driven applications, leveraging large language models (LLMs) to handle unstructured data and automate communication. For example, banks use LLM-based assistants to help users manage accounts, find transactions, and handle routine requests; LLMs help healthcare professionals extract information from medical notes and clinical documentation.

“LLMs as a technology naturally fit the U.S. service-sector-based economy more so than the Chinese manufacturing economy,” Elmgren says.

Competition and cooperation

The U.S. and China do compete more or less head-to-head in some AI-related areas, such as the underlying chips. The two have grappled to gain enough control over their supply chains to ensure national security, as recent tariff and export control fights have shown. “I think the main competitive element from a top level [for China] is to wriggle their way out of U.S. coercion over semiconductors. They want to have an independent capability to design, build, and package advanced semiconductors,” Webster says.

Military applications of AI are also a significant arena of U.S.–China competition, with both governments aiming to speed decision-making, improve intelligence, and increase autonomy in weapons systems. The U.S. Department of Defense launched its AI Acceleration Strategy last month, and China has explicitly integrated AI into its military modernization strategy under its policy of military-civil fusion. “From the perspective of specific military systems, there are incremental advantages that one side or the other can gain,” Webster says.

Despite China’s commitment to military and industrial applications, it has not yet picked an AI national champion. “After Deepseek in early 2025 the government could have easily said, ‘You guys are the winners, I’ll give you all the money, please build AGI,’ but they didn’t. They see being ‘close enough’ to the technological frontier as important, but putting all eggs in the AGI basket as a gamble,” Loke says.

American companies are also still working with Chinese technology and workers, despite a slow uncoupling of the two economies. Though it may seem counterintuitive, more cooperation—and less emphasis on cutthroat competition—could yield better results for all. “For building more secure, trustworthy AI, you need both U.S. and Chinese labs and policymakers to talk to each other, to reach consensus on what’s off limits, then compete within those boundaries,” Xu says. “The arms race narrative also just misses the actual on-the-ground reality of companies co-opting each other’s approaches, the amount of research that gets exchanged in academic communities, the supply chains and talent that permeates across borders, and just how intertwined the two ecosystems are.”

Sharp has unveiled its Celerity High-Speed Oven at KBIS 2026 and introduced a new “Golden Heater” system that aims to reduce cooking times significantly while maintaining the texture and browning expected from a conventional oven.

The 30-inch wall oven combines the Golden Heater with True European Convection and inverter-controlled microwave power, creating a hybrid cooking approach that blends radiant heat, circulating air and microwave energy in one cavity.

Sharp states that the system can cook a whole chicken up to three times faster than a conventional oven, reflecting a broader industry push toward time-saving appliances that merge multiple cooking technologies.

Hybrid ovens have gained traction as households prioritise speed and versatility over single-function appliances, especially in kitchens where space constraints limit the number of dedicated cooking devices.