Kaspersky finds LunaSpy Android spyware

Android spyware is usually sold with some kind of lure. LunaSpy’s twist is nastier — it pretends to be the thing that’s supposed to protect you. Kaspersky described the campaign in August 2025 after tracking Android malware sent through messaging apps and disguised as antivirus or banking-protection tools. The point is simple: get the victim to install an APK by hand, ask for sweeping permissions, then turn the phone into a surveillance device. ### What is LunaSpy, exactly? LunaSpy is an Android spyware family. It is not just adware or a banking overlay app. Once installed, it is built to collect data from the phone and send it back to attacker-controlled infrastructure. Kaspersky says the campaign had been active since at least late February 2025, which means this was not a one-off sample but a live operation running for months before public disclosure. (kaspersky.com) ### How does it get onto a phone? The delivery method is old-school social engineering, but it still works. Victims get a message in a messenger app telling them to install a “security” tool, sometimes from a stranger and sometimes from a compromised contact. That matters because people are much more likely to trust an app link if it seems to come from someone they know. The malware also showed up as supposed banking-protection software, not just antivirus, so the pitch could be tailored to whatever fear would land. (kaspersky.com) ### Why does the fake antivirus angle work? Because the app performs a little theater. It imitates a real security scan and shows alarming numbers of “threats found.” Then it pushes the user to grant broad permissions to “fix” the problem. Basically, the scam weaponizes the normal Android trust flow — alerts, permissions, cleanup — and turns that into consent for spying. The victim thinks they are hardening the phone when they are actually opening everything up. (kaspersky.com) ### What can the spyware actually do? A lot. Kaspersky says newer versions can steal passwords from browsers and messengers, read text messages, call logs, and contacts, track location, record the screen, capture audio and video from the microphone and camera, and run arbitrary shell commands. Researchers also found code for stealing gallery photos, though that part was not yet active in the samples they described. That mix is what makes LunaSpy more than just credential theft — it can see, hear, and monitor the device in multiple ways at once. (kaspersky.com) ### Why do the command servers matter? Because the infrastructure looks bigger than a toy campaign. Kaspersky linked LunaSpy to around 150 domains and IP addresses used as command-and-control servers. That does not automatically tell you how many victims there are, but it does suggest the operators put real effort into resilience and scale. If defenders block one server, the malware may have plenty of others to fall back to. (kaspersky.com) ### Is this part of a bigger Android problem? Yes — and that is the real backdrop. Kaspersky’s 2025 mobile threat review says its products blocked more than 14 million attacks involving malware, adware, or unwanted mobile software that year, and it called LunaSpy one of the notable Android discoveries of 2025. So LunaSpy is not important because it is uniquely magical. It is important because it fits a broader pattern: attackers keep winning by getting users to sideload apps that promise something urgent, useful, or protective. (kaspersky.com) ### What should people and IT teams do now? The boring defenses are the right ones. Do not install APKs sent over chat. Be especially suspicious of unknown “security” apps that are not from established developers. On managed Android fleets, block untrusted sideloading where possible, keep Play Protect on, and look for unusual permission grants tied to apps that should not need access to accessibility features, notifications, camera, microphone, SMS, or screen capture. If a security app asks for everything, that is the tell — not the reassurance. (securelist.com) ### Bottom line LunaSpy is a reminder that on Android, the hardest attacks are often not technical at all. The malware did not need a zero-day. It needed a convincing message, a fake scan, and a user willing to believe that more permissions meant more safety. (kaspersky.com)