Google's Threat Intelligence Group has confirmed what cybersecurity researchers have been warning about for two years: criminals are now using AI to build working zero-day exploits. In a report published this week, GTIG revealed it intercepted a Python-based exploit — developed with the assistance of a large language model — that bypasses two-factor authentication on a popular open-source web administration tool. The unnamed cybercrime group had been planning a mass exploitation campaign before Google's proactive discovery shut it down.
That alone would be significant. But the same GTIG report documents something arguably more unsettling: an Android backdoor called PROMPTSPY that autonomously uses Google's own Gemini API to navigate devices, simulate user gestures, and replay stolen authentication credentials. Taken together, these developments mark the moment AI-powered offence moved from theoretical to operational — and every business running internet-facing software needs to understand the implications.
What Google actually found
The zero-day exploit targeted a semantic logic flaw — not a memory corruption bug or input sanitisation error, but a high-level reasoning mistake where a developer hardcoded a trust assumption that contradicted the application's 2FA enforcement logic. This is precisely the kind of vulnerability that traditional scanners miss but frontier LLMs excel at identifying.
Google's researchers spotted the AI fingerprints through several telltale artifacts in the code: educational docstrings explaining each function in textbook detail, a hallucinated CVSS score that doesn't exist in any vulnerability database, and structured Python formatting characteristic of LLM training data. GTIG is confident Gemini was not the model used, but declined to identify which LLM was involved.
"We finally uncovered some evidence this is happening," said John Hultquist, Chief Analyst at Google Threat Intelligence Group. "This is probably the tip of the iceberg and it's certainly not going to be the last."
The threat group behind the exploit has a "strong record of high-profile incidents and mass exploitation," according to Hultquist — suggesting this isn't an amateur experiment. Google worked with the affected vendor to patch the vulnerability before the planned attack could launch.
PROMPTSPY: when malware thinks for itself
The second revelation in the GTIG report is arguably more consequential for the long term. PROMPTSPY, an Android backdoor first identified by ESET in February 2026, contains an autonomous agent module called "GeminiAutomationAgent" that integrates directly with Google's Gemini API.
Here's how it works: the malware serialises the device's visible user interface into an XML-like format via Android's Accessibility API, then sends this layout data to Gemini's gemini-2.5-flash-lite model. The model returns structured JSON responses specifying exact action types and spatial coordinates — clicks, swipes, and other gestures — which the malware executes without human involvement.
This isn't a chatbot being tricked into giving bad advice. It's malware using an AI model as a real-time decision engine to autonomously navigate a device it has compromised.
PROMPTSPY's capabilities go further still. It can capture and replay biometric authentication data — PINs and lock patterns — to regain access to locked devices. If a user tries to uninstall it, the malware renders an invisible overlay directly over the uninstall button, silently consuming touch events so the button appears unresponsive. Its command-and-control infrastructure, including API keys, can be rotated remotely without redeploying the payload.
Google confirmed no apps containing PROMPTSPY are currently on Google Play, and Android devices with Google Play Services are protected by Play Protect. But as Hultquist told Help Net Security: "Similar malware is in the wild, but it's mostly experimental. We're looking for threat actors to find something that works at scale. Then they'll probably lean into it."
The broader picture: AI offence is outpacing AI defence
These two discoveries sit within a much larger pattern. According to CrowdStrike's 2026 Global Threat Report, AI-enabled attacks surged 89% year-over-year, with average breakout times — the window between initial access and lateral movement — falling to just 29 minutes, 65% faster than the previous year. The fastest observed breakout was 27 seconds.
The same GTIG report catalogues additional AI-powered threats that compound the picture. Chinese and North Korean state-sponsored groups (APT27, APT45, UNC2814) are using AI for vulnerability discovery at industrial scale — one group sent thousands of repetitive prompts to recursively analyse different CVEs and validate proof-of-concept exploits. Russia-nexus actors have deployed malware families called CANFAIL and LONGSTREAM that use AI-generated decoy code to evade detection, with one sample containing 32 separate instances of querying daylight saving time status as functionally irrelevant camouflage.
This follows weeks of heightened concern in the cybersecurity community, including the debut of Anthropic's Mythos, an AI model purpose-built for security research that has already surfaced previously unknown vulnerabilities. The Five Eyes alliance published guidance specifically addressing the security risks of agentic AI systems — guidance that now reads more prescient than precautionary.
What this means for your business
If you're running a business that relies on web-based admin tools, cloud services, or mobile devices — which is essentially every business — the practical implications are immediate.
The 2FA bypass matters because the flaw was a logic error, not a technical one. Traditional security scanning wouldn't have caught it. If your organisation relies on open-source web administration tools, check with your vendor whether they've patched against recent disclosures. The specific tool Google flagged remains unnamed, but responsible disclosure means the patch is already available.
PROMPTSPY matters because it demonstrates a new attack paradigm. Malware that can autonomously navigate a device, interpret what's on screen, and execute precise actions — without calling home for instructions — is fundamentally harder to detect and defend against than traditional command-and-control malware. For businesses issuing Android devices to staff, ensuring Google Play Protect is enabled and sideloading is restricted has become non-negotiable.
The speed advantage matters most. When breakout times are measured in seconds rather than hours, the traditional model of "detect and respond" breaks down. Businesses need to think about prevention — least-privilege access, network segmentation, and keeping AI security risks on the board agenda — not just incident response.
What to watch
The GTIG report makes clear this is an inflection point, not a peak. Hultquist described the AI vulnerability race as having "already begun" and expects the capability trajectory to be steep. Three developments are worth monitoring closely.
First, whether the unnamed web administration tool vulnerability leads to copycat exploits targeting similar logic flaws in other open-source tools. AI models are particularly good at this class of bug, and the technique is now proven.
Second, whether PROMPTSPY-style autonomous malware achieves meaningful scale. The architecture is extensible — designed to support multiple types of device interactions beyond the persistence use case documented so far. The moment a threat actor finds a variant that works at scale, they will double down.
Third, the defensive AI response. Google's own Big Sleep AI agent found a zero-day vulnerability in late 2024, and its CodeMender agent can automatically fix security flaws. The question is whether these defensive tools can keep pace with the offensive applications now appearing in the wild. For now, the attackers have the initiative.
Sources
- Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access — Google Cloud Blog / GTIG
- Google spotted an AI-developed zero-day before attackers could use it — CyberScoop
- Google stopped a zero-day hack that it says was developed with AI — The Verge
- Google researchers uncover criminal zero-day exploit likely built with AI — Help Net Security
- Google: Hackers used AI to develop zero-day exploit for web admin tool — Bleeping Computer
- 2026 CrowdStrike Global Threat Report — CrowdStrike
