Doctor Web’s antivirus laboratory has identified a sophisticated Android backdoor malware, designated Android.Backdoor.916.origin, which has been evolving since its initial detection in January 2025.
This multifunctional spyware primarily targets representatives of Russian businesses through targeted attacks rather than mass distribution.
Attackers disseminate the malicious APK file via private messages in popular messengers, disguising it as a legitimate antivirus application named “GuardCB.”
Distribution of the Backdoor Threat
The app’s icon mimics the emblem of the Central Bank of the Russian Federation superimposed on a shield, with an interface exclusively in Russian, reinforcing its focus on Russian-speaking users.
Variants have also surfaced under names like “SECURITY_FSB” and “FSB,” falsely posing as security tools affiliated with Russian law enforcement agencies. These deceptive tactics exploit user trust in official entities to facilitate installation.
Upon execution, Android.Backdoor.916.origin simulates an antivirus scan to maintain its facade, programmatically determining a “threat detection” probability that escalates over time up to 30%, with a random count of 1 to 3 fabricated threats. However, it harbors no genuine protective capabilities.
Instead, it aggressively requests extensive system permissions during initial launch, including access to geolocation, audio recording, SMS, contacts, call logs, media files, outgoing calls, camera functions for photos and videos, background operations, device administrator privileges, and the Accessibility Service.
These permissions enable a broad spectrum of surveillance and data exfiltration activities, positioning the malware as a potent tool for cyber espionage.
Command Infrastructure
The backdoor’s architecture includes multiple self-sustaining services that activate upon installation and are monitored every minute to ensure persistence.
It establishes connections to command-and-control (C2) servers, receiving directives across dedicated ports for segmented data transmission.
Key commands encompass sending inbound and outbound SMS messages, contact lists, call histories, and geolocation data to the server; initiating or terminating audio streams from the microphone, video feeds from the camera, or screen broadcasts.
Uploading all images from the device’s storage or specific files by name or range; toggling self-defense mechanisms; executing arbitrary shell commands; and relaying detailed network and device interface information.
Leveraging the Accessibility Service, Android.Backdoor.916.origin implements keylogger functionality to intercept keystrokes, including sensitive inputs like passwords, while monitoring targeted applications such as Telegram, Google Chrome, Gmail, Yandex Start, Yandex Browser, and WhatsApp for content theft.
This service also bolsters the malware’s anti-removal defenses when commanded, complicating eradication efforts.
The configuration supports integration with up to 15 hosting providers for C2 server redundancy, though this feature remains dormant in observed samples.
Doctor Web has proactively notified domain registrars about associated abuses to disrupt the infrastructure.
Experts at Doctor Web assess that Android.Backdoor.916.origin is optimized for precision strikes against business executives, enabling attackers to conduct comprehensive surveillance, steal proprietary data, and potentially facilitate further intrusions like ransomware deployment or lateral movement within corporate networks.
All known variants are effectively detected and neutralized by Dr.Web antivirus solutions for Android, mitigating risks for protected users.
Organizations are advised to enforce strict APK sideloading policies, verify app authenticity through digital signatures, and employ behavioral analysis tools to counter such deceptive threats.
Ongoing monitoring of indicators of compromise (IoCs) provided by Doctor Web is recommended for threat intelligence teams tracking Russian-focused cyber operations.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
