// Alert

Gemini threat report

// GeminiMEDIUM

Google Threat Intelligence Group (GTIG) published a May 11, 2026 report documenting ongoing abuse of the Gemini service by criminal and state-sponsored threat actors. PRC-linked group APT27 used Gemini to accelerate development of a network management tool for an operational relay box network configured to route traffic through residential IPs. The ESET-identified Android backdoor PROMPTSPY integrates the Gemini API into an autonomous agent module, sending live UI layouts to Gemini and receiving back tap and gesture coordinates to drive on-device actions, capture biometric inputs, and block uninstallation. GTIG also reported that PRC-linked actors are systematically bypassing AI platform billing controls, including a relay service that pools compromised Gemini, Claude, and OpenAI accounts to distribute access and costs. Google states no PROMPTSPY-containing apps are present on Google Play and that Play Protect mitigates the Android threat; the underlying AI-developed zero-day discussed in the same report did not involve Gemini.

// Get alerts for Gemini