Cybersecurity experts at Doctor Web have issued a cautionary alert regarding a new variant of Android malware, identified as Android.Backdoor.916.origin. This malicious software has been active since January 2025 and possesses alarming capabilities, including the ability to eavesdrop on conversations, steal messages, stream video, and log keystrokes.
This marks the second instance within a four-month period where malware has been detected targeting Russian infrastructure. In April 2022, Doctor Web unveiled a deceptive Alpine Quest mapping application that was covertly monitoring the Russian military.
Fake Anti-Virus Android App with Fake Results
The team at Doctor Web posits that this malware is not intended for widespread infection among average Android users. Instead, it appears to be a sophisticated tool aimed specifically at Russian business representatives. This hypothesis is supported by the distribution method employed by the attackers, who are disseminating the malware through direct messages on messaging platforms, masquerading it as an antivirus application named GuardCB.
The counterfeit app cleverly disguises itself, featuring an icon that mimics the emblem of the Russian Central Bank on a shield, thereby instilling a sense of trustworthiness. Upon installation, it initiates what seems to be an antivirus scan, complete with fabricated detection results designed to appear credible.
“This is confirmed by other detected modifications with names like ‘SECURITY_FSB’, ‘ФСБ’ (FSB), and others, which cybercriminals are attempting to pass off as security-related programs supposedly linked to Russian law enforcement agencies,” the Doctor Web researchers noted in their blog post.
Once the application is installed, it requests an extensive list of permissions, ranging from geolocation and audio recording to camera access and SMS data. It also seeks device administrator rights and access to Android’s Accessibility Service, enabling it to function as a keylogger and intercept content from widely-used applications, including:
- Gmail
- Telegram
- Yandex Browser
- Google Chrome
Livestreaming Audio and Broadcast Video
According to Doctor Web researchers, the malware is engineered for persistence. It launches its own background services, checks their status every minute, and restarts them as necessary. Furthermore, it communicates with multiple command-and-control servers, demonstrating the capability to switch between as many as 15 hosting providers to maintain its operational infrastructure.
The range of commands available, as detailed in Doctor Web’s report, highlights the malware’s extensive spying functions. It can livestream audio from the device’s microphone, broadcast video from the camera, capture text as users type, and upload contacts, SMS, images, and call history. Notably, it even possesses the ability to stream the device’s screen in real time.
Exploiting Android’s Accessibility Service
The malware also exploits Android’s Accessibility Service to bolster its defenses. This feature is misused not only to capture keystrokes but also to obstruct any attempts to uninstall the malware if the attackers issue such a command. This self-protection mechanism complicates removal efforts, making it challenging for victims to eliminate the threat without specialized security software.
Doctor Web emphasizes that while the malware exhibits advanced capabilities, it remains highly localized, with its interface exclusively available in Russian. This further supports the notion that it was specifically designed with a targeted group in mind.
For Android users in Russia, it is crucial to download applications solely from trusted sources and to remain vigilant against the potential risks posed by the platform’s open-source nature, which can inadvertently invite cyber threats.
