Ethical Hacking News
A new Android malware has been discovered that poses as an antivirus tool software created by Russia's Federal Security Services agency (FSB). The malware, tracked as "Android.Backdoor.916.origin," is being used to target executives of Russian businesses and can snoop on conversations, stream from the phone's camera, log user input with a keylogger, or exfiltrate communication data from messenger apps. This latest Android malware campaign is particularly concerning due to its sophistication and ability to impersonate a legitimate antivirus tool.
Android malware posing as an antivirus tool software created by Russia's Federal Security Services agency (FSB) is targeting Russian business executives. The malware, dubbed "Android.Backdoor.916.origin," can spy on conversations, stream from the camera, and log user input with a keylogger. The distribution lures for this malware are designed to target Russian businesses and impersonate government agencies. The malware has multiple branding attempts, including "GuardCB" and "SECURITY_FSB," which mimic legitimate security software. The malware requests high-risk permissions upon installation, allowing it to carry out a range of malicious activities on the device. The malware can switch between up to 15 hosting providers, demonstrating its resilience in evading detection.
Android malware posing as an antivirus tool software created by Russia's Federal Security Services agency (FSB) is being used to target executives of Russian businesses. In a new report from Russian mobile security firm Dr. Web, researchers track the new spyware as 'Android.Backdoor.916.origin,' finding no links to known malware families.
This latest Android malware campaign is particularly concerning due to its sophistication and ability to impersonate a legitimate antivirus tool. The malware can snoop on conversations, stream from the phone's camera, log user input with a keylogger, or exfiltrate communication data from messenger apps. Dr. Web reports that since the initial discovery of this malware in January 2025, it has sampled multiple subsequent versions, indicating continuous development.
The distribution lures for this malware are particularly intriguing, as they appear to be designed to target Russian businesses. The researchers believe that the malware was created with a specific purpose in mind - to carry out targeted attacks against Russian executives and their organizations. Dr. Web has seen two main branding attempts for this malware: "GuardCB" and "SECURITY_FSB", which impersonate the Central Bank of the Russian Federation and the FSB (Federal Security Service) respectively.
It's worth noting that both of these branding attempts are highly convincing, with a user interface that appears to be modeled after legitimate security software. However, once installed on the device, the malware reveals its true nature by attempting to mimic the behavior of a genuine antivirus tool. When the user clicks on "scan," the interface displays a simulation programmed to return a fake positive result in 30% of the time, with the number of fake detections ranging randomly between 1 and 3.
Upon installation, the malware requests granting several high-risk permissions like geo-location, access to SMS and media files, camera and audio recording, Accessibility Service, and permission to run in the background at all times. These permissions allow the malware to carry out a wide range of malicious activities on the device.
The malware launches multiple services through which it connects to the command and control (C2) server to receive commands such as exfiltrating SMS, contacts, call history, geo-location, and stored images; activating the microphone, camera, and screen streaming; capturing text input and messenger or browser content; executing shell commands, maintaining persistence, and enabling self-protection. Dr. Web found that the malware can switch between up to 15 hosting providers, demonstrating its resilience in evading detection.
The complete indicators of compromise related to Android.Backdoor.916.origin have been shared on a GitHub repository, providing a valuable resource for security researchers and experts looking to learn more about this new threat.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Android-Malware-Threat-GuardCB-and-SECURITYFSB-Impersonate-Russian-Intelligence-Agency-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-android-malware-poses-as-antivirus-from-russian-intelligence-agency/
https://securityaffairs.com/181503/malware/android-backdoor-916-origin-malware-targets-russian-business-executives.html
Published: Mon Aug 25 08:00:55 2025 by llama3.2 3B Q4_K_M
