Security experts at Doctor Web have revealed a sophisticated Android spyware campaign targeting Russian business leaders. The malware, identified as Android.Backdoor.916, was first detected in January 2025 and has since undergone several iterations. This malicious software is typically distributed through APK files disguised as security applications, most notably under the name GuardCB. The app features an icon that closely resembles the emblem of the Central Bank of the Russian Federation, cleverly placed on a shield. Other variants are labeled “SECURITY_FSB” or simply “FSB,” aiming to impersonate software from law enforcement or regulatory agencies. Notably, the application interface is exclusively in Russian, indicating a targeted approach rather than a broad global reach.
Attackers primarily disseminate the APK via private messages on popular messaging platforms, circumventing official app stores. This strategy leverages trusted communication channels to deceive potential victims into downloading the spyware.
Multifunctional Surveillance and Espionage Capabilities
Upon installation, Android.Backdoor.916.Origin does not provide any genuine protective features. Instead, it simulates device scans, generating random reports of one to three fictitious threats, with the likelihood of detection increasing the longer the victim delays subsequent scans. Beneath this deceptive exterior, the malware activates extensive spyware modules, requesting permissions for geolocation, camera and microphone usage, SMS and contact access, call logs, and background operation. It also demands device administrator rights and Accessibility Service access, allowing it to establish deep-rooted persistence and conduct a wide array of spying activities.
The malware can transmit both incoming and outgoing SMS messages, upload the victim’s contact list, forward phone call history and location data, and exfiltrate media stored on the device. More advanced commands enable real-time audio streaming from the microphone, video capture from the camera, and even screen activity monitoring. Doctor Web researchers have noted that the Accessibility Service is exploited to maintain a keylogger, intercepting sensitive content from widely used applications such as Telegram, WhatsApp, Gmail, Google Chrome, Yandex Start, and Yandex Browser.
Control over the malware is maintained through a modular system of services that reconnect to the command server every minute, ensuring constant communication and resilience. The backdoor configuration includes addresses of up to fifteen different hosting providers for fallback connectivity, although this feature remains inactive at present. Investigators conclude that Android.Backdoor.916.Origin is not intended for mass infections but is instead designed for targeted cyber-espionage campaigns.
The characteristics of the malware, its branding choices, the Russian-only interface, and the direct distribution method all indicate deliberate operations aimed at corporate executives and business figures. The ability to harvest personal and professional data, combined with real-time surveillance capabilities, positions this spyware as a formidable tool for intelligence gathering and corporate intrusion.
Doctor Web has confirmed that its antivirus solutions for Android effectively detect and eliminate all known variants of this backdoor, thereby mitigating immediate risks for protected users. However, this discovery underscores a growing trend: high-value individuals, particularly within the business and political arenas, are increasingly vulnerable to mobile spyware masquerading as legitimate applications. Experts are urging organizations to enhance mobile security policies, restrict the side-loading of APKs, and educate high-risk employees about the social engineering tactics that attackers exploit in their targeted operations.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
