New Android Spyware Disguised as an Antivirus Attacking Business Executives

In recent months, security teams have observed the emergence of a highly versatile Android backdoor, Android.Backdoor.916.origin, masquerading as a legitimate antivirus application.

Distributed via private messaging services under the guise of “GuardCB,” its icon closely mimics the emblem of the Central Bank of the Russian Federation against a shield background.

Although the interface displays only Russian language prompts, this malware has been deployed in targeted campaigns against Russian business executives, extracting sensitive corporate communications and personal data.

Upon installation, the counterfeit antivirus simulates system scans, randomly “detecting” between one and three fictitious threats, with detection rates increasing the longer a device remains unscanned, though never exceeding 30 percent.

This deceptive behavior lulls victims into believing the application provides genuine protection.

Beneath this veneer, the backdoor silently requests a prolonged list of permissions—geolocation, audio recording, SMS and contacts access, camera control, background execution, device administrator rights, and Accessibility Service privileges.

Dr.Web researchers noted that once these permissions are granted, the malware initiates multiple persistent services that self-monitor every minute, reconnecting to its command-and-control (C2) infrastructure whenever necessary.

Through separate C2 ports, operators can harvest call logs, SMS traffic, contact lists, and geolocation data; stream microphone audio, camera video, or device screen captures; siphon stored images; and even execute arbitrary shell commands.

The trojan’s ability to toggle self-defense routines via the Accessibility Service enables it to thwart removal attempts by overlaying fake system interfaces or disabling uninstall options.

The sophistication of Android.Backdoor.916.origin is underscored by its dynamic configuration, which can incorporate up to fifteen different hosting providers, although only a subset is active in current campaigns.

Domain registrar notifications have prompted some takedowns, but the mule-like resilience of the C2 network continues to frustrate defenders.

Dr.Web antivirus for Android successfully detects and removes known variants, yet the tailored nature of these attacks underscores the necessity for heightened vigilance among executive circles.

Infection Mechanism and Persistence

Android.Backdoor.916.origin employs an infection mechanism tailored to social engineering and sideloading rather than exploitation of software vulnerabilities.

Victims receive a malicious APK file disguised as “GuardCB.apk” through encrypted messenger threads. Once executed, the app’s manifest registers background services and the Accessibility Service, as illustrated in the snippet below:-

By abusing the Accessibility API, the malware gains keystroke logging and in-app data interception capabilities, ensuring enduring presence even after force-stop or device reboot sequences.

Continuous health checks and automatic service restarts guarantee that the backdoor remains active, silently harvesting data until manually removed.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.