{"id":24475,"date":"2025-08-06T04:12:44","date_gmt":"2025-08-06T08:12:44","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=24475"},"modified":"2025-08-06T12:26:35","modified_gmt":"2025-08-06T08:26:35","slug":"disguised-spy-for-android","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/disguised-spy-for-android\/24475\/","title":{"rendered":"Spyware that pretends to be an antivirus"},"content":{"rendered":"<p>In the pursuit of security, many folks are ready to install any app that promises reliable protection from malware and scammers. It\u2019s this fear that\u2019s skillfully used by the creators of new mobile spyware distributed through messengers under the guise of an antivirus. After installation, the fake antivirus imitates the work of a genuine one \u2014 scanning the device, and even giving a frightening number of \u201cthreats found\u201d. Of course no real threats are detected, while what it really does is simply spy on the owner of the infected smartphone.<\/p>\n<p>How the new malware works and how to <a href=\"https:\/\/me-en.kaspersky.com\/mobile-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_kdaily_wpplaceholder_sm-team___kisa____3d7d2c33c4c17a10\" target=\"_blank\" rel=\"noopener\">protect<\/a>\u00a0yourself from it is what we\u2019ll be telling you about today.<\/p>\n<h2>How the spyware gets into your phone<\/h2>\n<p>We\u2019ve discovered a new malware campaign targeting Android users. It\u2019s been active since at least the end of February 2025. The spy gets into smartphones through messengers, not only under the guise of an antivirus, but also banking protection tools. It can look like this, for example:<\/p>\n<ul>\n<li><strong>\u201cHi, install this program here.\u201d <\/strong>A potential victim can receive a message suggesting installing software from either a stranger, or a hacked account of a person in their contacts (which is how, for example, <a href=\"https:\/\/www.kaspersky.com\/blog\/telegram-premium-scam\/52696\/\" target=\"_blank\" rel=\"noopener nofollow\">Telegram accounts are hijacked<\/a>.<\/li>\n<li><strong>\u201cDownload the app in our channel\u201d. <\/strong>New channels appear in Telegram every second, so it\u2019s quite possible that some of them may distribute malware under the guise of legitimate software.<\/li>\n<\/ul>\n<p>After installation, the fake security app shows the number of detected threats on the device in order to force the user to provide all possible permissions supposedly to save the smartphone. In this way, the victim gives the app access to all personal data without realizing the real motives of the fake AV.<\/p>\n<h2>What LunaSpy can do<\/h2>\n<p>The capabilities of the spyware are constantly increasing. For example, the latest version we found has the ability to steal passwords from both <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-store-passwords-securely\/48784\/\" target=\"_blank\" rel=\"noopener nofollow\">browsers<\/a> and messengers. This, by the way, is another reason to start using <a href=\"https:\/\/me-en.kaspersky.com\/password-manager?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener\">password managers<\/a><strong>\u00a0<\/strong>if you haven\u2019t already done so. What else can LunaSpy do?<\/p>\n<ul>\n<li>Record audio and video from the microphone and camera.<\/li>\n<li>Read texts, the call log, and contact list.<\/li>\n<li>Run arbitrary shell commands.<\/li>\n<li>Track geolocation.<\/li>\n<li>Record the screen.<\/li>\n<\/ul>\n<p>We also discovered malicious code responsible for stealing photos from the gallery, but it\u2019s not being used yet. All the information collected by the malware is sent to the attackers via command-and-control servers. What\u2019s surprising is that there are around 150 different domains and IP addresses associated with this spyware \u2014 all of them command-and-control servers.<\/p>\n<h2>How to protect your devices<\/h2>\n<p>We assume that this spyware is used by attackers as an auxiliary tool, so for now it doesn\u2019t compete with big players like <a href=\"https:\/\/www.kaspersky.com\/blog\/ios-android-ocr-stealer-sparkcat\/52980\/\" target=\"_blank\" rel=\"noopener nofollow\">SparkCat<\/a>. Nevertheless, you should protect yourself from LunaSpy as best you can as you do with other threats.<\/p>\n<ul>\n<li><strong>Don\u2019t download apps from third-party sources.<\/strong> <a href=\"https:\/\/www.kaspersky.com\/blog\/malware-in-google-play-2023\/49579\/\" target=\"_blank\" rel=\"noopener nofollow\">We usually talk about the possible presence of malware in official stores and catalogs<\/a>; however, this is a special case, so we\u2019ll supplement the standard recommendation with: never download APK files from messengers \u2014 even if they were sent to you by close friends. Better yet, <a href=\"https:\/\/www.kaspersky.com\/blog\/unknown-apps-android\/41656\/\" target=\"_blank\" rel=\"noopener nofollow\">disable the ability to install unknown applications<\/a>.<\/li>\n<li><strong>Check which apps you give permission to. <\/strong>Be wary if an antivirus or any other security solution requires <a href=\"https:\/\/www.kaspersky.com\/blog\/android-restricted-settings\/49991\/\" target=\"_blank\" rel=\"noopener nofollow\">too many permissions<\/a> with no clear reason why it needs them.<\/li>\n<li><strong>Use <a href=\"https:\/\/me-en.kaspersky.com\/mobile-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_kdaily_wpplaceholder_sm-team___kisa____3d7d2c33c4c17a10\" target=\"_blank\" rel=\"noopener\">Kaspersky for Android<\/a><\/strong><strong>\u00a0<\/strong>to detect spyware and other malware in a timely manner.<\/li>\n<li><strong>Trust trusted developers. <\/strong>If someone offers you to download a <em>\u201cnew super-accurate and secure\u201d <\/em>antivirus that the internet seems to know nothing about, be very wary <em>and <\/em>opt for a <a href=\"https:\/\/www.kaspersky.com\/top3\" target=\"_blank\" rel=\"noopener nofollow\">proven solution<\/a>.<\/li>\n<\/ul>\n<blockquote><p>A bit more on spyware:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/finspy-for-windows-macos-linux\/42383\/\" target=\"_blank\" rel=\"noopener nofollow\">FinSpy: the ultimate spying tool<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/telegram-signal-malware-in-google-play\/48937\/\" target=\"_blank\" rel=\"noopener nofollow\">Spyware messengers on Google Play<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-protect-from-pegasus-spyware\/43453\/\" target=\"_blank\" rel=\"noopener nofollow\">Staying safe from Pegasus, Chrysaor and other APT mobile malware<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/new-spy-for-android-smartphones-lianspy\/51923\/\" target=\"_blank\" rel=\"noopener nofollow\">LianSpy: new mobile spyware for Android<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/smartphone-spying-protection\/31894\/\" target=\"_blank\" rel=\"noopener nofollow\">How to keep spies off your phone \u2014 in real life, not the movies<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kisa-generic-3\">\n","protected":false},"excerpt":{"rendered":"<p>Android smartphone owners who use messengers are at risk.<\/p>\n","protected":false},"author":2739,"featured_media":24476,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[105,97,45,682,738,521,692],"class_list":{"0":"post-24475","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-android","9":"tag-security-2","10":"tag-smartphones","11":"tag-spyware","12":"tag-surveillance","13":"tag-threats","14":"tag-trojans"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/disguised-spy-for-android\/24475\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/disguised-spy-for-android\/29360\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/disguised-spy-for-android\/29311\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/disguised-spy-for-android\/40244\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/disguised-spy-for-android\/54051\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/disguised-spy-for-android\/35227\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/disguised-spy-for-android\/34874\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/android\/","name":"Android"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24475","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2739"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=24475"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24475\/revisions"}],"predecessor-version":[{"id":24477,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24475\/revisions\/24477"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/24476"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=24475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=24475"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=24475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}