Fake Antivirus App Delivers LunaSpy Malware to Android Devices

A sophisticated cybercrime campaign has been discovered targeting Android users through fake antivirus applications that actually deliver LunaSpy spyware to victims’ devices.

Security researchers have identified this malicious operation as an active threat that exploits users’ security concerns to gain unauthorized access to personal data and device functions.

The LunaSpy malware campaign has been operating since at least February 2025, spreading primarily through popular messaging applications.

Cybercriminals employ social engineering tactics by distributing the malicious software under the guise of legitimate antivirus and banking protection tools.

Victims typically receive messages from either unknown contacts or compromised accounts belonging to people in their contact lists, with simple instructions like “Hi, install this program here” accompanied by download links.

The malware also spreads through newly created Telegram channels that masquerade as legitimate software distribution platforms.

These channels appear frequently and can easily deceive users seeking security solutions for their mobile devices.

The attackers capitalize on users’ fear of malware infections and their willingness to install any application promising comprehensive protection.

Deceptive Installation Process

Once installed, the fake antivirus application performs convincing imitations of legitimate security software.

The malicious app conducts mock device scans and presents users with alarming reports indicating numerous detected threats on their smartphones.

These fabricated results are designed to frighten users into granting extensive permissions to the application, supposedly to enable it to remove the non-existent threats and protect the device.

This deceptive approach effectively manipulates victims into voluntarily providing the malware with access to all personal data stored on their devices, including sensitive information like passwords, messages, and financial details.

The latest versions of LunaSpy demonstrate increasingly sophisticated capabilities that enable comprehensive surveillance of infected devices.

The malware can steal passwords from both web browsers and messaging applications, highlighting the importance of using dedicated password management tools for enhanced security.

LunaSpy’s surveillance arsenal includes the ability to record audio and video through device microphones and cameras, access text messages and call logs, read contact lists, and execute arbitrary shell commands.

The spyware also tracks users’ geographical locations and can record screen activity in real-time.

Researchers have discovered dormant code within the malware designed to steal photos from device galleries, though this functionality has not yet been activated in current campaigns.

All collected information is transmitted to attackers through an extensive network of approximately 150 different domains and IP addresses serving as command-and-control servers.

Users can protect themselves by avoiding software installations from unofficial sources, carefully scrutinizing unexpected download requests, and using reputable security solutions from established vendors.

Regular security awareness and cautious online behavior remain the most effective defenses against such sophisticated social engineering attacks.

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free