A newly discovered Android malware, tracked as
According to findings from Russian mobile security firm Dr. Web, this malware specifically targets the executives of Russian businesses. It displays sophisticated spying capabilities, allowing it to snoop on conversations, stream video from the phone camera, record audio, log keystrokes, and exfiltrate communication data from popular messenger apps.
Targeted Approach and Distribution
Since its first detection in January 2025, Android.Backdoor.916.origin has surfaced in multiple versions, pointing to ongoing development efforts. Distribution tactics, infection methods, and the use of a Russian-only interface strongly suggest that this malware is designed solely for Russian users. Two primary brandings have been observed: "GuardCB," impersonating the Central Bank of the Russian Federation, and "SECURITY_FSB" or "ФСБ," impersonating the FSB.
The fake antivirus app simulates virus scans and generates false positive detections about 30% of the time, effectively discouraging users from removing it. Upon installation, it requests a slew of high-risk permissions, such as access to geolocation, SMS, media, camera, and audio, as well as more severe permissions like device-admin rights and the ability to alter the lock screen.
Dangerous Capabilities
This Android malware links to command-and-control servers, which can then instruct it to perform a variety of unsavory tasks: exfiltrating SMS, contacts, call histories, and location data; activating microphones, cameras, and screen streaming; capturing text input, messenger, or browser content from apps like Telegram, WhatsApp, Gmail, Chrome, and Yandex; executing shell commands; and ensuring its own persistence and self-protection.
Moreover, Dr. Web's research reveals that the malware demonstrates resilience, with a contingency capability to switch hosting providers as needed.
To aid in the combat against
