Russian cybersecurity company Doctor Web claims that a recently uncovered Android spyware campaign, masquerading as an antivirus app purportedly connected to the nation’s intelligence services, is targeting Russian business executives.
Since January 2025, the malware—tracked as Android.Backdoor.916.origin—has been in use and has undergone several iterations. Its greatest danger is that it deceives Russian authorities by disguising itself as an official-looking security app, which lures Russian employees and business executives into targeted attacks.
According to researchers, the backdoor can covertly record video using the camera, log keystrokes, track locations, steal files, and even extract information from well-known apps like WhatsApp and Telegram as well as browsers like Gmail, Chrome, and Yandex.
Passed off as “official” security instruments
Direct messages in chat apps are used to spread the malicious app, and victims receive a download link in messenger apps. This results in a phony antivirus program called “GuardCB.” To give it legitimacy, this phony antivirus includes an icon that looks like the Russian Federation’s Central Bank’s emblem.
Other variations use names like “SECURITY_FSB” or just “FSB,” which implies a relationship to the Federal Security Service of Russia. The fact that the interface is only available in Russian emphasizes how specifically targeted the campaign is.
However, it only offers Russian as a language on its interface. In other words, the malicious program is solely targeted at Russian users,” researchers from Doctor Web wrote in a blog post.
This is supported by additional changes found in files with names like “SECURITY_FSB,” “FSB,” and others that cybercriminals are attempting to pass off as security programs purportedly associated with Russian law enforcement.
Peocess to work
How It Operates,By simulating scans, the phony antivirus mimics real security software tools to evade removal. False positives, which randomly range from one to three nonexistent threats, appear about 30% of the time.
After installation, the app asks for a lot of permissions, such as access to the camera, microphone, contacts, media files, call history, GPS, SMS, and even Android’s Accessibility Service.
In order to persuade users that it is authentic, it then mimics phony antivirus “scans,” reporting one to three “threats” at random. However, in the background, it quietly connects to a command-and-control (C2) server, enabling attackers to:
-
Live audio streaming from the microphone
-
Real-time broadcasting of the device’s screen or video
-
Steal call logs, stored photos, contacts, and SMS
-
intercept private conversations and passwords that are typed
-
Run commands remotely
The malware is extremely targeted, made especially for Russian users, and not meant for widespread infection, according to Doctor Web. The malware’s infrastructure enables it to switch between 15 different hosting companies, indicating that its developers made it resilient to disruption and persistent.
Precautions
For the time being, Android users are advised to only download apps from reliable sources, like the Google Play Store, to be wary of apps that purport to be government security tools, and to pay attention to the permissions that apps ask for.
Doctor Web claims that all known versions of the spyware are detected and eliminated by its own antivirus program. The Android-related indicators of compromise (IoCs) are also included in the report that the company shared. The file Backdoor.916.origin is available on the GitHub repository.
