A new spyware campaign is targeting Android users by posing as antivirus delivered via messenger apps. Once installed on your device, it can do everything from record your screen to steal your passwords. The malware, referred to as LunaSpy, was identified by Kaspersky and is believed to have been active since at least February 2025.
What is LunaSpy?
According to Kaspersky, LunaSpy imitates real antivirus software, scanning your device and alerting you to (fake) “threats found,” after which it requests extensive permissions so it can spy on your device unsuspected. The malware can execute a range of functions:
-
Recording audio and video using your device’s microphone and camera
-
Reading texts, call logs, and contact lists
-
Running arbitrary shell commands
-
Stealing passwords
-
Tracking locations
-
Recording the device screen
The program is also capable of stealing images from your phone’s photo gallery. All of this information is then routed to command-and-control servers belonging to the attackers, where it can be used for malicious purposes.
How LunaSpy spreads on Android—and how to protect your device
The LunaSpy campaign proliferates through messenger apps like Telegram. Targets may receive a message from a stranger—or the hijacked account of someone they know—suggesting they install the “antivirus.” Victims may also be directed to download the app in a new channel.
In general, you should download apps only from official sources like the Google Play Store (though malware can sometimes slip through the cracks, as with the fake crypto extensions recently found among Mozilla’s add-ons ). Avoid third-party sources, and don’t download APK files from messengers even if you know the sender.
You can also block unknown app installs for sources outside the Google Play Store entirely, so your device will have an extra layer of protection if you do attempt to download a malicious program. While the specifics vary depending on your device, this option can generally be found under Settings > Security.
You should be wary of apps—including antivirus—that request broad permissions without a clear purpose unless you have verified that the software is legitimate and trustworthy. You can confirm which permissions an app has under Settings > Apps > Permissions.
If you suspect that you’ve installed spyware on your Android, you should immediately uninstall any suspicious apps. A factory reset is a more extreme step, but it should wipe malware completely—just be sure you back everything up first.
