A new Android spyware, dubbed LunaSpy, has been circulating since at least February 2025, according to a recent report from Kaspersky, posing significant threats to mobile device security.
The malicious software primarily spreads through messaging applications like Telegram, often disguised as legitimate antivirus or banking protection software. Upon installation, LunaSpy employs a deceptive tactic: it initiates a fake virus scan, displaying alarming “threats found” warnings to the user. This elaborate ruse is designed to trick users into granting the application a wide array of permissions, under the false pretense that these permissions are necessary to resolve the fabricated threats.
However, these extensive permissions are not for protective measures. Instead, LunaSpy leverages them to execute a variety of intrusive actions. The spyware is capable of stealing sensitive information, including passwords from web browsers and messaging applications. It can also record audio and video, read text messages, track the device’s location, and even run commands on the compromised device. The latest iteration of LunaSpy reportedly contains unused code that suggests future capabilities for photo theft, indicating a potential expansion of its data exfiltration features.
All the stolen data is then transmitted to the attackers through a complex network of approximately 150 servers. This highlights the sophisticated infrastructure supporting the spyware’s operations.
To mitigate the risk of infection, users are strongly advised to exercise extreme caution when downloading applications. Specifically, users should avoid downloading Android Package Kits (APKs) received via messenger links, even if the sender is known, as their account may have been compromised. Furthermore, users should be wary of any unfamiliar security or antivirus applications that request broad and extensive permissions to access various functionalities and data on their mobile devices. Such requests should be a significant red flag, prompting immediate uninstallation if already installed.
