Russian cybersecurity company Doctor Web claims that a recently uncovered Android spyware campaign. Android Malware as Antivirus app purportedly connected to the nation’s intelligence services, is targeting Russian business executives.
Android Malware as Antivirus to spy on Russian companies.
Since January 2025, the malware—tracked as Android.Backdoor.916.origin—has been in use and has undergone several iterations. Therefore, its greatest danger is that it deceives Russian authorities by disguising itself as an official-looking security app. As a result, it lures Russian employees as well as business executives into targeted attacks.
According to researchers, the backdoor can covertly record video using the camera and also log keystrokes, in addition track locations, furthermore steal files, and even extract information from well-known apps like WhatsApp and Telegram as well as browsers like Gmail, Chrome, and Yandex.
Android Malware as Antivirus Passed off as “official” security instruments
Direct messages in chat apps are use to spread the malicious app, and victims receive a download link in messenger apps. This results in a phony antivirus program called “GuardCB.” To give it legitimacy, this phony antivirus includes an icon that looks like the Russian Federation’s Central Bank’s emblem.
Other variations use names like “SECURITY_FSB” or just “FSB,” which implies a relationship to the Federal Security Service of Russia. The fact that the interface is only available in Russian emphasizes how specifically targeted the campaign is.
Targets Russian Users
However, it only offers Russian as a language on its interface. In fact, the malicious program is solely targeted at Russian users. In other words, researchers from Doctor Web wrote in a blog post.
This is support by additional changes found in files with names like “SECURITY_FSB,” “FSB.” And others that cybercriminals are attempting to pass off as security programs purportedly associated with Russian law enforcement.
Peocess to work
How It Operates,By simulating scans, the phony antivirus mimics real security software tools to evade removal. False positives, which randomly range from one to three nonexistent threats, appear about 30% of the time.
After installation, the app asks for a lot of permissions, notably access to the camera, microphone, contacts, media files, call history, GPS, SMS, and even Android’s Accessibility Service.
In order to persuade users that it is authentic, moreover, it then mimics phony antivirus “scans,” reporting one to three “threats” at random. At the same time, in the background, it quietly connects to a command-and-control (C2) server, thereby enabling attackers to act stealthily and ultimately achieve full control over the device.
- Live audio streaming from the microphone
- Real-time broadcasting of the device’s screen or video
- Steal call logs, stored photos, contacts, and SMS
- intercept private conversations and passwords that are typed
- Run commands remotely
Meanwhile,the malware is extremely target, made especially for Russian users, and not meant for widespread infection, according to Doctor Web. The malware’s infrastructure enables it to switch between 15 different hosting companies, indicating that its developers made it resilient to disruption and persistent.
Precautions
For the time being, Android users are advise to only download apps from reliable sources, like the Google Play Store, to be wary of apps that purport to be government security tools, and to pay attention to the permissions that apps ask for.
Doctor Web claims that all known versions of the spyware are detect and eliminated by its own antivirus program. Also android-relate indicators of compromise (IoCs) are also include in the report that the company shared. The file Backdoor.916.origin is available on the GitHub repository.
