A new strain of Android malware, masquerading as an antivirus tool, has emerged from the shadows of Russia’s Federal Security Services (FSB) and is now targeting executives within Russian businesses. This revelation comes from a recent report by Dr. Web, a mobile security firm based in Russia, which has identified the spyware as ‘Android.Backdoor.916.origin.’ Notably, this malware appears to be a standalone entity, with no connections to previously recognized malware families.
Capabilities and Targeting
The malware exhibits a range of alarming capabilities, including:
- Surreptitious monitoring of conversations
- Streaming video from the device’s camera
- Logging user input through a keylogger
- Exfiltrating data from messaging applications
Since its initial detection in January 2025, Dr. Web has tracked multiple iterations of this malware, suggesting ongoing enhancements and adaptations. The researchers have deduced that the malware is specifically engineered for targeted assaults on Russian enterprises, as evidenced by its distribution strategies and the exclusive use of the Russian language in its interface.
Two primary branding efforts have been identified: one under the name “GuardCB,” which pretends to represent the Central Bank of the Russian Federation, and others labeled “SECURITY_FSB” and “ФСБ” (FSB), which aim to impersonate software purportedly linked to the Russian intelligence agency. Dr. Web emphasizes that the malware’s singular focus on Russian users is further corroborated by its design and functionality.
Source: Dr. Web
Despite its guise as a security application, the tool lacks any genuine protective features, instead attempting to deceive users into believing it is a legitimate antivirus solution. When users engage the ‘scan’ function, the interface is programmed to simulate a scan that yields a false positive result approximately 30% of the time, with the number of fabricated detections varying randomly between one and three.
Permissions and Functionality
Upon installation, the malware requests an array of high-risk permissions, including:
- Geo-location access
- Access to SMS and media files
- Camera and audio recording capabilities
- Accessibility Service permissions
- Background operation permissions
Once these permissions are granted, the malware activates multiple services to establish a connection with its command and control (C2) infrastructure, enabling it to execute a variety of malicious commands, such as:
- Exfiltrating SMS messages, contacts, call history, geo-location data, and stored images
- Activating the device’s microphone, camera, and screen for streaming
- Capturing text input and content from popular messaging and browser applications, including Telegram, WhatsApp, Gmail, Chrome, and Yandex
- Executing shell commands, ensuring persistence, and implementing self-protection measures
Dr. Web’s analysis indicates that the malware possesses the capability to switch between as many as 15 different hosting providers, a feature that, while not currently active, underscores the malware’s design for resilience and adaptability.
For those interested in further details, Dr. Web has made available the complete indicators of compromise related to Android.Backdoor.916.origin on their GitHub repository.
