What is LunaSpy
LunaSpy is an Android spyware that disguises itself as an antivirus or bank protection app. It scans your phone and gives a fake “threats found” warning to pressure users into giving critical permissions to delete the fake threats. It then uses the elevated permissions to perform tasks like recording audio/video, reading SMS and call logs, stealing passwords from browsers and apps, stealing photos from the gallery, and other spyware acts.
This spyware is mainly distributed using messenger apps that provide the APK file to install. Furthermore, there is no specific demographic target; the over 150 domains/IPs for C2 suggest a fairly broad infrastructure and reach. To avoid being the target of this spyware, follow the below protection measures.
Be Skeptical About APK Links on Messenger Apps
Installing apps using APK is a risk on its own, even from a trusted APK website, but it’s worse if the APK link is received in a random message. Hackers know that people will not just download anything they receive, which is why social engineering plays a very important role in LunaSpy distribution.
Attackers often gain the trust of the users before providing the APK, it could be for business opportunities, device security, or any purpose that leads to installing a security app. There are also cases of hijacked family and friends’ accounts being used for distribution, since people are more likely to trust them.
Group chats are another vector where people may act trustworthy and share LunaSpy disguised as a special antivirus or a premium version of a popular antivirus for free.
You should be very skeptical about receiving APK download links in messenger apps, even if they are from a family member. If you are unsure about a link, it’s best to leave it and not even open it.
Ensure No Apps Have “Install unknown apps” Permission
Installing an APK file needs Install unknown apps permission, which, if turned on, can allow installation of an APK file with minimal resistance. To ensure LunaSpy doesn’t sneak in or is accidentally installed using an APK file, you should make sure apps don’t have this permission enabled.
Note: depending on your phone manufacturer, the steps to access special permissions may be different. However, they should be under privacy options or app permissions. Below we are providing general steps.
In your phone’s settings, go to Privacy protection → Special permissions → Install unknown apps and make sure no apps have Allowed written under them.
Carefully Provide App Permissions
LunaSpy heavily depends on elevated permissions to do its job. Many of these permissions are so critical that they should never be given to any unknown app. Not just LunaSpy, if an unknown app is asking for such critical permissions, you should think twice before giving these permissions. In case of LunaSpy, multiple of these permissions will be asked.
Below, we are listing some common dangerous permissions that LunaSpy may ask for:
Accessibility service: it allows reading screen contents and performing actions on the screen, which is necessary for spying.
Device administrator: this is mainly used for persistence, as it can prevent the uninstallation of the spyware.
Draw over other apps: it allows LunaSpy to hide prompts or show fake information, which is used for stealing passwords.
Along with these, it will also ask for risky but common permissions like the microphone, camera, all files, phone, etc.
Make Sure Google Play Protect is Enabled
Google Play Protect scans your device and ensures your device doesn’t have any apps that can harm it. It works for apps that are installed using APK files as well. In most cases, it should catch LunaSpy due to its elevated functions and background activity. Make sure Google Play Protect is enabled and run a manual scan to ensure your device is clean.
Open the Google Play Store, tap on your icon, and select Play Protect.
Here, tap on the Settings button at the top-right corner and ensure both Scan apps with Play Protect and Improve harmful app detection are enabled. You can tap on the Scan button to run a scan immediately to see if any harmful app is installed.
Play Protect settings
Apart from these protection measures, you should also have a reliable antivirus installed with real-time threat scanning, like Avast Antivirus. If you think your Android phone is infected, look for these spyware signs to confirm and take action.