A new Android malware is circulating, disguised as a supposed antivirus app developed by the Russian Federal Security Service (FSB). In reality, however, it's a spying tool being used to specifically target executives at Russian companies.
The threat was discovered by Russian-based mobile security firm Dr. Web. In their latest report, researchers identified this spyware as 'Android.Backdoor.916.origin,' and interestingly, it doesn’t match any known malware family so far.
So what can this malware do? A lot more than you might expect. It can spy on conversations, access the device's camera, record what you type using a keylogger, and even extract data from messaging apps like WhatsApp or Telegram.
In short: if this app ends up on your phone, attackers practically have full control.
New Malware Targets Russian Companies Using Fake FSB and Central Bank Apps
Since it was first detected in early 2025, this Android malware has continued to evolve. Several new versions have appeared in recent months, making it clear that its developers are actively working to improve it.
Everything suggests that this threat was specifically designed to target companies in Russia. Why? Because of several clues: the distribution methods, the names used for the fake apps, and above all, the fact that the supposed antivirus interface is only available in Russian. That strongly indicates that the cybercriminals are targeting a very specific audience.
At least two different approaches have been detected in how the app is presented. In one case, the application pretends to be from the Central Bank of Russia under the name "GuardCB." In other cases, variants use names like "SECURITY_FSB" or simply "ФСБ" (FSB), attempting to impersonate the Russian intelligence agency to gain credibility.
Although it appears to be a legitimate security tool, the truth is it offers no real protection functions. Its only purpose is to pose as a genuine antivirus to prevent the user from deleting it. Essentially, it’s a facade designed to build trust while conducting espionage in the background.
Fake AV Scan in the App (Source: Dr. Web)
When the user taps the “scan” button, the app launches a fake scan simulation. In approximately 30% of cases, it displays a bogus positive result, detecting between 1 and 3 fictitious threats to appear convincing and make the user believe the device is actually being protected.
But the most concerning part happens right after installation: the app begins requesting a long list of sensitive permissions, many of which have nothing to do with the functioning of a legitimate antivirus.
These include access to your location, media files, SMS messages, as well as permissions to record audio, use the camera, enable the accessibility service (which allows the device to be controlled), and even run constantly in the background without the user’s knowledge.
Permission to wipe all data and change the lock screen (left) and accessibility settings (right)
Read more: How to Defend Against Malware Persistence Techniques with Wazuh
The Malware Connects to C2 Servers and Spies on Everything on Your Device
Once the malware is installed, it moves quickly. It launches several background processes that allow it to connect to its command-and-control (C2) server, from which it receives instructions to carry out a range of highly invasive actions.
Among the commands it can execute are:
-
Stealing SMS messages, contacts, call history, location, and even photos stored on the device.
-
Activating the microphone, camera, and even streaming the screen in real-time without the user’s knowledge.
-
Capturing what you type, including sensitive information entered into apps like Telegram, WhatsApp, Gmail, Chrome, or Yandex.
-
Executing system-level (shell) commands, remaining active even after reboots, and enabling self-protection mechanisms to avoid being removed.
One particularly notable feature is its ability to switch between up to 15 different hosting services, which would allow it to continue operating even if one of its main servers is blocked. While this feature is not yet active, it clearly shows the malware was built to be resilient and difficult to neutralize.
Additionally, indicators of compromise (IoCs) associated with this malware, identified as Android.Backdoor.916.origin, have been published in a public GitHub repository, helping researchers and security experts track its activity and prevent further infections.