By rssfeeds-admin The malware was identified as Android. Backdoor . 916. origin was first discovered in January 2025 and has since evolved through several variants.
Distributed through APK files disguised as security programs, the spyware is most commonly presented as an application called GuardCB, complete with an icon that mimics the emblem of the Central Bank of the Russian Federation placed on a shield.
Russian Executives Lured with Fake Antivirus Tools
Other versions carry names such as “SECURITY_FSB” or simply “FSB,” in an attempt to masquerade as software from law enforcement or regulatory bodies.
With an interface available only in Russian, the malicious application is clearly designed for a narrow target audience rather than the global user base.
Attackers mainly distribute the APK via private messages in popular messengers, bypassing official app stores and leveraging trusted communication channels to trick prospective victims.
Multifunctional Surveillance and Espionage Capabilities
Once installed, Android.Backdoor.916.Origin provides no fundamental protective functions. Instead, it simulates a device scan, randomly generating reports of one to three non-existent threats, with the probability of detections increasing the longer the victim waits between scans.
Behind this façade, the malware activates extensive spyware modules. It requests permissions for geolocation, camera and microphone usage, SMS and contact access, call logs, and background operation, while also demanding device administrator rights and Accessibility Service access.
These privileges allow it to establish deep-rooted persistence and facilitate a wide range of spying activities.
The malware can transmit incoming and outgoing SMS messages, upload the victim’s contact list, forward phone call history and location data, and exfiltrate media stored on the device.
More advanced commands enable real-time streaming of audio from the microphone, video from the camera, and even screen activity.
Doctor Web researchers note that the Accessibility Service is exploited to maintain a keylogger that intercepts sensitive content from widely used programs, including Telegram, WhatsApp, Gmail, Google Chrome, Yandex Start, and Yandex Browser.
Control is maintained via a modular system of services that reconnect to the command server every minute, ensuring constant communication and resilience.
The backdoor configuration also includes addresses of up to fifteen different hosting providers for fallback connectivity, although this feature is not yet in active use.
A Tool for Targeted Attacks
Investigators conclude that Android. Backdoor . 916.origin is not designed for mass infections but rather for targeted cyber-espionage campaigns.
Its characteristics, branding decisions, Russian-only interface, and direct distribution through messaging platforms all point to deliberate operations against corporate executives and business figures.
The ability to harvest personal and professional data, combined with real-time surveillance functions, makes this spyware a powerful instrument for intelligence gathering and corporate intrusion.
Doctor Web confirms that its antivirus solutions for Android detect and eliminate all known variants of this backdoor, mitigating immediate risk for protected users.
Nonetheless, the discovery highlights an ongoing trend: high-value individuals, particularly in the business and political sectors, face increasing exposure to mobile spyware disguised as legitimate applications.
Experts urge organizations to tighten mobile security policies, restrict side-loading of APKs, and educate high-risk employees about social engineering tactics that attackers exploit in targeted operations.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Corporate Leaders Targeted by Android Spyware Masquerading as Security Apps appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.