Hackers Are Imitating Antivirus Tools to Access Your Smartphone

A dangerous spyware campaign is targeting Android users by disguising itself as antivirus or banking protection software. Known as LunaSpy, the malware has been active since at least February 2025 and spreads mainly through popular messaging platforms like Telegram.

Cybercriminals send short, convincing messages—often from hacked accounts belonging to someone the victim knows—urging recipients to download an app via a link or Telegram channel. These channels frequently appear legitimate, but exist solely to distribute the malicious software.

How LunaSpy Deceives Users

Once installed, LunaSpy poses as a legitimate antivirus tool. It launches a fake scan of the device, then displays alarming “threats found” messages. This is designed to scare the user into granting extensive permissions—supposedly to remove the threats.

These permissions give the attackers wide-ranging access, including the ability to read text messages, call logs, and contact lists, as well as to record audio and video from the microphone and camera. LunaSpy can also capture passwords from web browsers and messaging apps, run remote shell commands, track location, and record the screen in real time.

Researchers have discovered dormant code capable of stealing photos from the device gallery, indicating that future versions may add even more invasive capabilities. All stolen data is sent to attackers through an extensive infrastructure of about 150 different domains and IP addresses acting as command-and-control servers.

How the Malware Spreads

LunaSpy’s primary distribution method is through messaging apps. Victims may receive a direct message from a stranger or a trusted contact whose account has been compromised, containing a short instruction like “Install this program here” along with a download link.

In other cases, users are directed to download the app from a new Telegram channel set up by the attackers. Because new channels appear constantly, it’s easy for malicious ones to blend in among legitimate communities.

While malware can occasionally slip into official app stores, this campaign relies heavily on sideloaded APK files—applications installed from outside the Google Play Store—making user caution the first line of defense.

Protecting Your Device

Avoid downloading APK files from messaging apps, even if they appear to come from friends or family. Their accounts may have been hacked to spread the malware. Consider disabling the option to install apps from unknown sources entirely; this setting can usually be found by going to Settings > Apps > Special access > Install unknown apps.

Be cautious of any app, including antivirus tools, that requests broad permissions without clear justification. Stick to software from reputable developers with a proven history of security.

If you suspect LunaSpy or similar malware is on your device, uninstall suspicious apps immediately and run a scan with an antivirus app like Certo AntiSpy. A factory reset can also remove persistent threats, but remember to back up important data first.