Doctor Web’s antivirus laboratory has unveiled a sophisticated Android backdoor malware, known as Android.Backdoor.916.origin, which has been evolving since its initial detection in January 2025. This multifunctional spyware primarily targets representatives of Russian businesses through focused attacks rather than broad distribution tactics.
Attackers are disseminating the malicious APK file via private messages in popular messaging platforms, cleverly disguising it as a legitimate antivirus application called “GuardCB.”
Distribution of the Backdoor Threat
The app’s icon cleverly mimics the emblem of the Central Bank of the Russian Federation, superimposed on a shield, and features an interface exclusively in Russian, reinforcing its appeal to Russian-speaking users.
Variants of this malware have emerged under names such as “SECURITY_FSB” and “FSB,” falsely presenting themselves as security tools associated with Russian law enforcement agencies. These deceptive tactics exploit user trust in official entities to facilitate installation.
Upon execution, Android.Backdoor.916.origin simulates an antivirus scan to uphold its facade, programmatically determining a “threat detection” probability that escalates over time to as high as 30%, with a random count of 1 to 3 fabricated threats. However, it offers no genuine protective capabilities.
Instead, it aggressively requests extensive system permissions during its initial launch, including access to geolocation, audio recording, SMS, contacts, call logs, media files, outgoing calls, and camera functions for photos and videos. It also seeks background operation permissions, device administrator privileges, and access to the Accessibility Service. These permissions empower a wide array of surveillance and data exfiltration activities, positioning the malware as a formidable tool for cyber espionage.
Command Infrastructure
The architecture of this backdoor includes multiple self-sustaining services that activate upon installation and are monitored every minute to ensure persistence. It establishes connections to command-and-control (C2) servers, receiving directives through dedicated ports for segmented data transmission.
Key commands include sending inbound and outbound SMS messages, contact lists, call histories, and geolocation data to the server; initiating or terminating audio streams from the microphone, video feeds from the camera, or screen broadcasts; and uploading all images from the device’s storage or specific files by name or range. The malware can also toggle self-defense mechanisms, execute arbitrary shell commands, and relay detailed network and device interface information.
Utilizing the Accessibility Service, Android.Backdoor.916.origin implements keylogger functionality to intercept keystrokes, including sensitive inputs like passwords, while monitoring targeted applications such as Telegram, Google Chrome, Gmail, Yandex Start, Yandex Browser, and WhatsApp for content theft. This service also enhances the malware’s anti-removal defenses when commanded, complicating eradication efforts.
The configuration supports integration with up to 15 hosting providers for C2 server redundancy, although this feature remains dormant in observed samples. In response to this threat, Doctor Web has proactively notified domain registrars about associated abuses to disrupt the infrastructure.
Experts at Doctor Web assess that Android.Backdoor.916.origin is optimized for precision strikes against business executives, enabling attackers to conduct comprehensive surveillance, steal proprietary data, and potentially facilitate further intrusions, such as ransomware deployment or lateral movement within corporate networks.
All known variants are effectively detected and neutralized by Dr.Web antivirus solutions for Android, significantly mitigating risks for protected users. Organizations are advised to enforce strict APK sideloading policies, verify app authenticity through digital signatures, and employ behavioral analysis tools to counter such deceptive threats. Ongoing monitoring of indicators of compromise (IoCs) provided by Doctor Web is recommended for threat intelligence teams tracking Russian-focused cyber operations.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
