LunaSpy hides as a spyware antivirus on Android | Kaspersky official blog

LunaSpy hides as a spyware antivirus on Android | Kaspersky official blog

In the pursuit of security, many folks are ready to install any app that promises reliable protection from malware and scammers. It’s this fear that’s skillfully used by the creators of new mobile spyware distributed through messengers under the guise of an antivirus. After installation, the fake antivirus imitates the work of a genuine one — scanning the device, and even giving a frightening number of “threats found”. Of course no real threats are detected, while what it really does is simply spy on the owner of the infected smartphone.

How the new malware works and how to protect yourself from it is what we’ll be telling you about today.

How the spyware gets into your phone

We’ve discovered a new malware campaign targeting Android users. It’s been active since at least the end of February 2025. The spy gets into smartphones through messengers, not only under the guise of an antivirus, but also banking protection tools. It can look like this, for example:

  • “Hi, install this program here.” A potential victim can receive a message suggesting installing software from either a stranger, or a hacked account of a person in their contacts (which is how, for example, Telegram accounts are hijacked.
  • “Download the app in our channel”. New channels appear in Telegram every second, so it’s quite possible that some of them may distribute malware under the guise of legitimate software.

After installation, the fake security app shows the number of detected threats on the device in order to force the user to provide all possible permissions supposedly to save the smartphone. In this way, the victim gives the app access to all personal data without realizing the real motives of the fake AV.

What LunaSpy can do

The capabilities of the spyware are constantly increasing. For example, the latest version we found has the ability to steal passwords from both browsers and messengers. This, by the way, is another reason to start using password managers if you haven’t already done so. What else can LunaSpy do?

  • Record audio and video from the microphone and camera.
  • Read texts, the call log, and contact list.
  • Run arbitrary shell commands.
  • Track geolocation.
  • Record the screen.

We also discovered malicious code responsible for stealing photos from the gallery, but it’s not being used yet. All the information collected by the malware is sent to the attackers via command-and-control servers. What’s surprising is that there are around 150 different domains and IP addresses associated with this spyware — all of them command-and-control servers.

How to protect your devices

We assume that this spyware is used by attackers as an auxiliary tool, so for now it doesn’t compete with big players like SparkCat. Nevertheless, you should protect yourself from LunaSpy as best you can as you do with other threats.

A bit more on spyware:

Kaspersky official blog – ​Read More