A newly discovered Android spyware, tracked as Android.Backdoor.916.origin, is masquerading as an antivirus allegedly from Russia’s Federal Security Service (FSB) to infiltrate business executives’ devices. Researchers at Dr. Web report that the malware, active since January 2025, continues to evolve with updated versions, though it doesn’t belong to any known malware family.
It can record conversations, stream from the device camera, capture keystrokes, and steal data from messenger apps, contacts, call logs, and browsing activity. The malicious software pretends to be security tools under names like GuardCB, SECURITY_FSB, and ФСБ, targeting only Russian-speaking users.
While the app simulates antivirus scans, it produces fake detections to appear legitimate and discourage removal. Once installed, it demands dangerous permissions, including access to SMS, files, location, microphone, and camera, and it maintains persistence by connecting to a command-and-control server.
The spyware can also execute shell commands, switch across multiple hosting providers for resilience, and enable self-protection features. Indicators of compromise and further technical details have been published by Dr. Web on GitHub to help security teams track and mitigate the threat.
Read more...