A new and sophisticated Android malware is being used to conduct targeted attacks against Russian business executives. According to a report by the Russian mobile security firm Dr. Web, the spyware, which they have named ‘Android.Backdoor.916.origin,’ is being distributed under the guise of an antivirus tool. Its deceptive branding, which includes names like “SECURITY_FSB” and “ФСБ,” is designed to impersonate software from Russia’s Federal Security Service (FSB) or “GuardCB” to impersonate the Central Bank of the Russian Federation. The researchers believe the malware’s focus on Russian language and its specific lures indicate it is intended for a very specific group of victims.
Upon installation, the malicious application requests an extensive list of high-risk permissions.
This includes access to geo-location data, SMS messages, media files, and the camera and microphone. It also seeks permission to access the Accessibility Service and run in the background, ensuring it can operate undetected at all times. The app’s fake antivirus interface even attempts to mimic a genuine security scan, displaying a simulation that randomly returns a fake positive result to trick the user into believing the software is working, thus deterring them from uninstalling it.
The ‘Android.Backdoor.916.origin’ malware is a multi-functional backdoor with an alarming array of espionage capabilities.
Once installed, it connects to a command and control (C2) server to receive instructions from the attackers. These commands enable the malware to exfiltrate a wide range of sensitive data, including contacts, call history, geo-location, and stored images. It also has the ability to activate the device’s microphone and camera for live streaming, capture text input with a keylogger, and steal content directly from popular messaging apps and browsers like Telegram, WhatsApp, Gmail, Chrome, and Yandex apps.
Dr. Web’s researchers have been tracking the malware’s evolution since its initial discovery in January 2025 and have already identified multiple subsequent versions. This indicates that the malware is under continuous development, with its creators actively working to improve its capabilities. The researchers also found that the malware is designed for resilience, with the ability to switch between up to 15 different hosting providers, a feature that, while currently inactive, suggests a plan for maintaining persistence even if some C2 servers are taken down.
The sophistication and targeted nature of this malware highlight a growing threat to corporate security. By posing as a legitimate security tool from a trusted government agency, the attackers are exploiting a common need for security solutions while simultaneously gaining comprehensive access to their victims’ devices. This incident serves as a stark reminder of the importance of vigilance when downloading applications, even those that appear to be from credible sources, and the necessity of robust mobile security measures, particularly for high-profile targets within a business environment.
Reference:
