New LunaSpy Malware Disguised as Antivirus Threatens Android Devices

In a new wave of mobile threats, security researchers have uncovered LunaSpy, a sophisticated Android spyware masquerading as legitimate antivirus and banking protection tools.

Since emerging in late February 2025, LunaSpy has been distributed via messaging platforms such as Telegram and WhatsApp, duping users into installing a seemingly trustworthy security app.

Once activated, it not only fabricates alarming threat reports but also exfiltrates sensitive data and monitors nearly every aspect of the victim’s smartphone activity.

Campaigns begin with unsolicited messages reading, “Hi, install this program here,” often sent from hacked or spoofed accounts.

Alternatively, malware-laden APK files appear in newly created or hijacked Telegram channels that claim to offer official software downloads.

Victims who click the provided link are prompted to sideload an APK—by default disabled on Android—after which the fake antivirus launches an elaborate ruse.

A credible-looking user interface simulates a deep system scan, invariably concluding that dozens or even hundreds of threats have been detected.

Alarmed, users grant the app extensive permissions under the guise of cleaning their device, unwittingly handing over control of cameras, microphones, messages, and more.

Data Theft Capabilities

According to Report, LunaSpy exploit the inherent trust users place in familiar contacts and popular messaging channels.

Far from harmless, LunaSpy leverages granted privileges to orchestrate comprehensive espionage:

Audio, Video, and Screen Capture: The malware remotely activates microphones and cameras to record conversations and surroundings. It can also record ongoing screen activity, capturing passwords and private chats.
Messaging and Browser Data Exfiltration: Newer versions of LunaSpy target credentials stored in mobile browsers and intercept messages from popular messenger apps, enabling account takeovers.
Personal Records and Commands: Call logs, contact lists, SMS messages, and geolocation information are routinely harvested. The malware can even execute arbitrary shell commands to expand its reach or disable competing security tools.
Modular Expansion: Researchers have identified dormant code for extracting photos from the device gallery—likely to be activated in future updates.

All stolen data is transmitted to the attacker’s network of approximately 150 command-and-control domains and IP addresses, illustrating a broad and resilient infrastructure designed to evade takedown efforts.

Protecting Your Android Device

By refusing to sideload unverified apps, carefully managing permissions, and relying on established security solutions, Android users can safeguard their personal data against LunaSpy and future spyware threats.

Given LunaSpy’s deceptive tactics, Android users must adopt stricter security hygiene:

Avoid Third-Party APKs
Refrain from installing applications from unknown sources, especially those received via messaging services. Android’s “Install Unknown Apps” setting should remain disabled unless absolutely necessary—and even then, only re-enabled briefly for trusted installs.
Scrutinize App Permissions
Legitimate antivirus solutions rarely require unrestricted access to camera, microphone, or SMS logs. If an app requests extensive privileges without a clear functional justification, deny the request or uninstall the app immediately.
Rely on Proven Security Software
Deploy reputable mobile security suites—such as Kaspersky for Android—to detect and block spyware in real time. Regularly update these apps to stay protected against emerging threats like LunaSpy.
Maintain Good Password Hygiene
Utilize dedicated password managers to store credentials securely, minimizing the risk posed by browser-based password theft. Enable two-factor authentication (2FA) on critical accounts whenever possible.
Verify Publisher Authenticity
Before downloading any new security app, confirm the developer’s reputation through official app stores and trusted review sites. Be wary of “exclusive” or “new” antivirus software with little online footprint.

As mobile spyware campaigns grow more intricate, vigilance and adherence to fundamental security practices remain the most effective defenses.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Ethan Brooks

Ethan Brooks is a Senior cybersecurity journalist passionate about threat intelligence and data privacy. His work highlights cyber attacks, hacking, security culture, and cybercrime with The Cyber News.