Pierluigi Paganini
August 25, 2025
Doctor Web researchers observed a multifunctional backdoor Android.Backdoor.916.origin targeting Android devices belonging to representatives of Russian businesses.
The malware executes attacker commands, enabling surveillance, keylogging, and theft of chats, browser data, and even live camera/audio streams.
The experts observed the first versions of the backdoor in January 2025. Since its discovery, the researchers have monitored the evolution of this threat identifying multiple versions. Doctor Web speculates that Android.Backdoor.916.origin was designed to be employed in targeted attacks against representatives of Russian businesses.
“Attackers distribute a backdoor APK file via private messages in messengers under the guise of an antivirus called “GuardCB”. The application has an icon resembling the emblem of the Central Bank of the Russian Federation against the background of a shield. At the same time, its interface provides only one language – Russian.” reads the report published by Doctor Web.
“That is, the malicious program is entirely focused on Russian users. This is confirmed by other detected modifications with file names such as “SECURITY_FSB”, “FSB” and others, which cybercriminals are trying to pass off as security programs allegedly related to Russian law enforcement agencies.”
The fake antivirus app mimics real security tools to avoid removal, running simulated scans with random fake detections. On installation, it requests dangerous permissions, including geolocation, SMS, media, camera, audio, background activity, data deletion, lock screen changes, and Accessibility Service, giving attackers full control and stealthy persistence on the device.
The malware constantly maintains its services, connecting to a C2 to steal SMS, contacts, call logs, geolocation, images, stream audio/video/screen, execute commands, and send device info, using separate ports for each data type.
Android.Backdoor.916.origin exploits the Accessibility Service to keylog and steal data from apps like Telegram, WhatsApp, Gmail, Chrome, and Yandex browsers, and can self-protect from removal.
“Android.Backdoor.916.origin has the ability to work with a large number of control servers, information about which is located in its configuration. In addition, it has the ability to switch between hosting providers, the number of which reaches 15, but at present such functionality is not used.” concludes the report that also includes Indicators of compromise. “The Doctor Web antivirus laboratory has notified domain registrars of the corresponding violations.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
Android.Backdoor.916.origin
Hacking
hacking news
information security news
IT Information Security
malware
Pierluigi Paganini
Security Affairs
Security News
