VNCSpy is an Android malware family identified by ESET in February 2026, with samples first appearing on VirusTotal on 2026-01-13 (three uploads reported from Hong Kong). ESET describes VNCSpy as the earlier/less advanced version of a related family later dubbed PromptSpy; both families include a VNC component that can provide operators full remote access to compromised Android devices once victims enable Android Accessibility Services. The more advanced PromptSpy samples (uploaded to VirusTotal on 2026-02-10 from Argentina) are described as being based on VNCSpy and adding additional functionality (notably Gemini-assisted UI automation for persistence), but the shared core capability explicitly attributed to VNCSpy in the provided content is the embedded VNC-based remote control enabled via Accessibility permissions. No additional VNCSpy-specific distribution details, targeting, or distinct IOCs beyond the VirusTotal upload timing/origin are directly stated in the provided content.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct technique documented for this family, organized by ATT&CK tactic.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Previously unknown Android malware assessed as a precursor/earlier version of PromptSpy; associated with VNC-based remote access capability (per naming and relationship described).
Earlier/less advanced Android malware variant related to PromptSpy that includes a VNC component enabling full remote access/control of the device after Accessibility Services are enabled.
Earlier/less-advanced version of the PromptSpy Android malware family, characterized by VNC-based remote access capabilities and later serving as the base for more advanced variants (PromptSpy) that add Gemini-assisted persistence and additional anti-removal behaviors.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.