Fake Antivirus Targets Russian Businesses: Inside a New Android Espionage Campaign
The malware Android.Backdoor.916.origin, uncovered by Doctor Web’s research laboratory, specifically targets the corporate sector in Russia and possesses extensive capabilities for surveillance and data theft. Its primary purpose is not mass infection but rather precise, targeted attacks against employees of Russian companies. The first samples of this malicious program surfaced in January 2025, after which specialists began monitoring the evolution of all identified variants.
The trojan spreads through private messages in messengers, where victims receive an APK file disguised as an antivirus application named “GuardCB.” The app’s icon mimics the emblem of the Central Bank of Russia superimposed on a shield, while its interface is entirely in Russian—underscoring its clear targeting of Russian users. Other versions masqueraded under names like “SECURITY_FSB” and “ФСБ,” exploiting trust through associations with law enforcement agencies.
In reality, the application provides no antivirus functionality. Upon launch, it simulates a device scan, displaying fabricated threats whose likelihood depends on the time elapsed since the last “check,” but never exceeding 30%. The number of “detected threats” is randomly chosen between one and three.
Once installed, the trojan demands extensive system permissions, including access to geolocation, audio recording, SMS, contacts, call logs, media files, call functions, camera control, background processes, device administrator rights, and accessibility services.
It then launches its own services, ensuring persistence by restarting them as necessary. Through these mechanisms, the malware connects to its command-and-control (C2) server and awaits instructions. These may include sending inbound and outbound SMS, exfiltrating contacts, call history, and device coordinates. It can also stream live audio from the microphone, video from the camera and screen, and extract images from the device’s storage—either entirely or according to specific filters.
The backdoor further supports execution of arbitrary shell commands, toggling self-protection mechanisms, and transmitting details about the device’s network interfaces. Different categories of stolen data are routed through separate ports on the C2 server.
A particularly dangerous feature is its abuse of accessibility services to function as a keylogger. Through this mechanism, the malware intercepts content displayed in browsers and messengers while capturing keystrokes, including passwords. Among the monitored applications are Telegram, Chrome, Gmail, Yandex Start, Yandex Browser, and WhatsApp. The malware can also block attempts to remove it from the device if commanded to do so.
Android.Backdoor.916.origin supports communication with an extensive pool of up to fifteen control servers, whose details are embedded in its configuration. Although server rotation is not currently active, the capability is built into its architecture. Doctor Web has already notified domain registrars about the identified violations.
The fact that this threat disguises itself as an antivirus bearing the appearance of official government software makes it particularly insidious in the context of social engineering attacks.
