New LunaSpy Malware Masquerades as Antivirus to Target Android Users

A sophisticated new malware campaign has emerged targeting Android smartphone users through messaging platforms, with cybercriminals distributing spyware disguised as legitimate antivirus and banking protection applications.

The malicious software, identified as LunaSpy, has been active since at least February 2025 and employs social engineering tactics to trick victims into granting extensive device permissions under the pretense of security scanning.

Distribution Methods and Social Engineering Tactics

LunaSpy infiltrates Android devices through carefully orchestrated messenger-based attacks that exploit users’ security concerns.

The malware spreads via two primary vectors: direct messages from either unknown contacts or compromised accounts of trusted individuals, and through newly created Telegram channels that promote the fake security software.

Once installed, the fraudulent application mimics genuine antivirus behavior by conducting mock system scans and displaying alarming numbers of fabricated threats.

This deceptive technique leverages psychological manipulation to coerce victims into granting comprehensive device permissions, believing they are protecting their smartphones from legitimate security risks.

The fake antivirus interface creates an illusion of thorough security analysis while establishing backdoor access for data exfiltration operations.

The campaign’s distribution infrastructure demonstrates remarkable sophistication, with attackers utilizing approximately 150 different command-and-control (C&C) server domains and IP addresses.

This extensive network architecture suggests a well-resourced operation designed to evade detection and maintain persistent communication channels with infected devices.

Advanced Surveillance Capabilities

LunaSpy’s feature set encompasses comprehensive surveillance capabilities that extend far beyond typical mobile malware.

The spyware can execute arbitrary shell commands, enabling remote system manipulation and potential privilege escalation.

Its data harvesting capabilities include password extraction from browsers and messaging applications, audio and video recording through device microphones and cameras, and complete access to text messages, call logs, and contact directories.

Additional surveillance functions include real-time geolocation tracking and screen recording capabilities, while dormant code suggests future implementation of gallery photo theft functionality.

The malware’s modular architecture allows for capability expansion through remote updates via the C&C infrastructure.

Security experts recommend implementing multi-layered protection strategies to mitigate LunaSpy infections.

Critical preventive measures include disabling the installation of unknown applications from sources outside official app stores, conducting thorough permission audits before granting application access, and avoiding APK file downloads from messaging platforms regardless of sender credibility.

Organizations should deploy reputable mobile security solutions capable of detecting advanced persistent threats and maintain updated threat intelligence feeds to identify emerging malware signatures.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates