{
	"id": "3e32a408-5504-4219-a872-adb8f19c1a48",
	"created_at": "2026-04-06T00:11:28.79706Z",
	"updated_at": "2026-04-10T03:30:32.826209Z",
	"deleted_at": null,
	"sha1_hash": "eae3c5f9033217b38aeb13b195484397e4c247fb",
	"title": "Spyware that pretends to be an antivirus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 116173,
	"plain_text": "Spyware that pretends to be an antivirus\r\nBy Dmitry Kalinin\r\nPublished: 2025-08-06 · Archived: 2026-04-05 21:22:06 UTC\r\n Android\r\nAndroid smartphone owners who use messengers are at risk.\r\nDmitry Kalinin\r\nAugust 6, 2025\r\nIn the pursuit of security, many folks are ready to install any app that promises reliable protection from malware\r\nand scammers. It’s this fear that’s skillfully used by the creators of new mobile spyware distributed through\r\nmessengers under the guise of an antivirus. After installation, the fake antivirus imitates the work of a genuine one\r\n— scanning the device, and even giving a frightening number of “threats found”. Of course no real threats are\r\ndetected, while what it really does is simply spy on the owner of the infected smartphone.\r\nhttps://www.kaspersky.com/blog/disguised-spy-for-android/54051/\r\nPage 1 of 3\n\nHow the new malware works and how to protect yourself from it is what we’ll be telling you about today.\r\nHow the spyware gets into your phone\r\nWe’ve discovered a new malware campaign targeting Android users. It’s been active since at least the end of\r\nFebruary 2025. The spy gets into smartphones through messengers, not only under the guise of an antivirus, but\r\nalso banking protection tools. It can look like this, for example:\r\n“Hi, install this program here.” A potential victim can receive a message suggesting installing software\r\nfrom either a stranger, or a hacked account of a person in their contacts (which is how, for example,\r\nTelegram accounts are hijacked.\r\n“Download the app in our channel”. New channels appear in Telegram every second, so it’s quite\r\npossible that some of them may distribute malware under the guise of legitimate software.\r\nAfter installation, the fake security app shows the number of detected threats on the device in order to force the\r\nuser to provide all possible permissions supposedly to save the smartphone. In this way, the victim gives the app\r\naccess to all personal data without realizing the real motives of the fake AV.\r\nWhat LunaSpy can do\r\nThe capabilities of the spyware are constantly increasing. For example, the latest version we found has the ability\r\nto steal passwords from both browsers and messengers. This, by the way, is another reason to start using password\r\nmanagers if you haven’t already done so. What else can LunaSpy do?\r\nRecord audio and video from the microphone and camera.\r\nRead texts, the call log, and contact list.\r\nRun arbitrary shell commands.\r\nTrack geolocation.\r\nRecord the screen.\r\nWe also discovered malicious code responsible for stealing photos from the gallery, but it’s not being used yet. All\r\nthe information collected by the malware is sent to the attackers via command-and-control servers. What’s\r\nsurprising is that there are around 150 different domains and IP addresses associated with this spyware — all of\r\nthem command-and-control servers.\r\nHow to protect your devices\r\nWe assume that this spyware is used by attackers as an auxiliary tool, so for now it doesn’t compete with big\r\nplayers like SparkCat. Nevertheless, you should protect yourself from LunaSpy as best you can as you do with\r\nother threats.\r\nDon’t download apps from third-party sources. We usually talk about the possible presence of malware\r\nin official stores and catalogs; however, this is a special case, so we’ll supplement the standard\r\nrecommendation with: never download APK files from messengers — even if they were sent to you by\r\nclose friends. Better yet, disable the ability to install unknown applications.\r\nhttps://www.kaspersky.com/blog/disguised-spy-for-android/54051/\r\nPage 2 of 3\n\nCheck which apps you give permission to. Be wary if an antivirus or any other security solution requires\r\ntoo many permissions with no clear reason why it needs them.\r\nUse Kaspersky for Android to detect spyware and other malware in a timely manner.\r\nTrust trusted developers. If someone offers you to download a “new super-accurate and secure”\r\nantivirus that the internet seems to know nothing about, be very wary and opt for a proven solution.\r\nA bit more on spyware:\r\nFinSpy: the ultimate spying tool\r\nSpyware messengers on Google Play\r\nStaying safe from Pegasus, Chrysaor and other APT mobile malware\r\nLianSpy: new mobile spyware for Android\r\nHow to keep spies off your phone — in real life, not the movies\r\nSource: https://www.kaspersky.com/blog/disguised-spy-for-android/54051/\r\nhttps://www.kaspersky.com/blog/disguised-spy-for-android/54051/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.kaspersky.com/blog/disguised-spy-for-android/54051/"
	],
	"report_names": [
		"54051"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434288,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eae3c5f9033217b38aeb13b195484397e4c247fb.pdf",
		"text": "https://archive.orkl.eu/eae3c5f9033217b38aeb13b195484397e4c247fb.txt",
		"img": "https://archive.orkl.eu/eae3c5f9033217b38aeb13b195484397e4c247fb.jpg"
	}
}