A newly discovered Android spyware campaign is targeting Russian business executives, disguised as an  antivirus app allegedly linked to the country’s intelligence services, according to Russian cybersecurity firm Doctor Web.

The malware, tracked as Android.Backdoor.916.origin, has been active since January 2025 and has evolved through multiple versions. Its biggest threat lies in the fact that it hides behind the mask of an official-looking security app, supposedly from Russian authorities, luring Russian business executives and employees into targeted attacks.

Researchers say the backdoor is capable of secretly recording video through the camera, logging keystrokes, tracking locations, stealing files, and even pulling data from popular apps like Telegram and WhatsApp, as well as browsers such as Gmail, Chrome, and Yandex.

Disguised As “Official” Security Tools

The malicious app is being distributed through direct messages in chat apps, with victims receiving a download link in messenger apps, leading to a fake antivirus called “GuardCB”. This fake antivirus features an icon resembling the emblem of the Central Bank of the Russian Federation to add credibility.

Other variants use names such as “SECURITY_FSB” or simply “FSB” — suggesting a connection to Russia’s Federal Security Service. The interface is available only in Russian, underscoring the highly targeted nature of the campaign.

“At the same time, its interface provides only one language – Russian. That is, the malicious program is entirely focused on Russian users,” wrote Doctor Web researchers in a blog post.

“This is confirmed by other detected modifications with file names such as “SECURITY_FSB”, “FSB” and others, which cybercriminals are trying to pass off as security programs allegedly related to Russian law enforcement agencies.”

How It Works

The fake antivirus imitates genuine  security software tools to avoid removal by running simulated scans. Roughly 30% of the time, it displays false positives, randomly ranging between 1 and 3 non-existent threats.

Once installed, the app requests extensive permissions, including access to the microphone, camera, SMS, contacts, media files, call history, geolocation, and even Android’s Accessibility Service.

It then simulates fake antivirus “scans,” randomly reporting one to three “threats” to convince users it is legitimate. However, in the background, it quietly connects to a command-and-control (C2) server, enabling attackers to:

• Stream live audio from the microphone
• Broadcast video or the device screen in real time
• Steal contacts, SMS, call logs, and stored photos
• Intercept typed passwords and private chats
• Execute remote commands

Doctor Web notes that the malware is highly targeted, designed specifically for Russian users, and not intended for mass infections. Its infrastructure allows the malware to rotate across 15 different hosting providers, a sign that its creators designed it for persistence and resistance to disruption.

Precautions

For now, Android users are urged to download apps only from trusted sources such as the Google Play Store, paying attention to permissions requested by apps, and also to be suspicious of any app claiming to be a government security tool.

Meanwhile, Doctor Web says its own  antivirus software detects and removes all known versions of the spyware. The report shared by the company also includes the indicators (IoCs) of compromise related to Android.Backdoor.916.origin, which has been published on GitHub repository.