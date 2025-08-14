Facepalm: Theoretically, antimalware software should work to protect users' data from cybercrime. However, a newly discovered spyware campaign targeting Android devices is doing the opposite while masquerading as legitimate antivirus software.

Kaspersky recently uncovered LunaSpy, a new spyware campaign designed to steal sensitive user data from Android devices and transmit it to command-and-control servers. According to the Moscow-based cybersecurity firm, LunaSpy has been active since at least February 2025 and is primarily spread through messaging apps and chat sessions initiated by seemingly legitimate users.

Potential victims may be prompted to install the malicious app either by a stranger or via a compromised account belonging to someone in their contact list. In addition, certain Telegram channels may also serve as delivery vectors.

Kaspersky researchers emphasize that many users are inclined to install apps from untrusted sources if they promise added security. Once installed, LunaSpy exploits this tendency by falsely alerting users that their device is at risk from multiple "threats," further encouraging installation and engagement with the malicious software.

The fake warnings are designed to coerce victims into granting unfettered access and permissions, allowing LunaSpy to exploit data stored on the device. According to Kaspersky, the spyware is constantly evolving, with the latest versions capable of stealing passwords saved in browsers and messaging apps.

LunaSpy also includes a wide range of other malicious capabilities. It can record audio and video via the device's microphone or camera, read texts, logs, and contact lists, track geolocations, and capture screen activity. The malware can even execute arbitrary shell commands if instructed. An additional feature for stealing images from a user's gallery exists but has not yet been deployed.

Another notable aspect of the LunaSpy campaign is its extensive and branched server infrastructure. Kaspersky identified approximately 150 domains and IP addresses associated with LunaSpy, all functioning as command-and-control servers to issue instructions and collect stolen data.

Security researchers suggest that LunaSpy may serve as an auxiliary tool for larger spyware campaigns. Users are strongly advised to avoid downloading apps from third-party sources and to carefully review the permissions granted to previously installed apps.