A recent discovery by cybersecurity researchers at Doctor Web has unveiled a sophisticated Android malware strain that has been targeting Russian users, particularly within the business sector. This malware, identified as Android.Backdoor.916.origin, is being distributed through an app dubbed GuardCB, which appeared in early 2025. This deceptive application masquerades as an antivirus tool while conducting comprehensive surveillance on its users.
The interface of GuardCB is exclusively in Russian, with a logo mimicking the emblem of the Central Bank of Russia. This strategic design choice, combined with names like SECURITY_FSB and FSB used by malware variants, serves to mislead users into associating the app with state or law enforcement affiliations.
Intrusive Permissions and Capabilities
Once installed, GuardCB requests an extensive list of permissions including access to the device's location, microphone, camera, messages, call logs, contacts, and even administrator rights. Its reach extends further, seeking access to popular apps such as WhatsApp, Telegram, Chrome, Gmail, and Yandex.
This broad spectrum of permissions enables the attackers to execute a wide range of spying activities. They can stream live video and audio from the device, capture photos, access stored files, monitor keystrokes, and track communications and geolocation in real time. This level of intrusion poses a significant risk to personal privacy and data security.
To maintain its guise as a legitimate security tool, GuardCB simulates antivirus functions by conducting fake scans and generating false threat reports. These typically claim to have cleaned one to three detected threats, further deceiving users into believing their devices are protected.
Potential State Involvement
Despite its sophisticated nature, the researchers have not attributed this malware to a known cyber actor, nor have they confirmed if it links to espionage activities. However, the level of access it demands and its methodical deployment raise speculations about potential involvement by state or state-aligned entities.
The discovery of GuardCB surfaces amidst a growing cyber conflict in the region, with pro-Ukrainian groups persistently targeting Russian networks. This development highlights the escalating complexity of mobile-based surveillance threats, emphasizing the severe risks they pose to both organizational and national security frameworks.
