A sophisticated Android backdoor, tracked as Android.Backdoor.916.origin, is actively targeting executives of Russian businesses. The malware is distributed under the guise of legitimate antivirus software purportedly created by Russia’s Federal Security Service (FSB) or the Central Bank of the Russian Federation, representing a highly targeted espionage campaign1.
The campaign was first identified in January 2025 by researchers at the Russian cybersecurity firm Dr. Web, with multiple subsequent versions indicating active development by the threat actors1. The malicious application, which uses the package name `com.fsb.secure`, is primarily distributed through private messages on messaging platforms, leveraging a potent social engineering lure to trick high-value targets into installation1.
**TL;DR: Executive Summary for Security Leadership**
* **Threat:** A targeted Android espionage tool (Android.Backdoor.916.origin) masquerading as official Russian security software.
* **Target:** Exclusive focus on Russian business executives.
* **Infection Vector:** Social engineering via private messages delivering a malicious APK.
* **Key Capabilities:** Full device takeover, including live audio/video surveillance, data exfiltration, and remote command execution.
* **Current Status:** Actively developed; Indicators of Compromise (IoCs) are available for defensive hunting.
* **Primary Recommendation:** Immediate user awareness training on the identified lures and technical controls to block sideloading of apps from unknown sources.
Malware Characteristics and Functionality
The malware employs two primary brands to appear legitimate: “GuardCB,” which impersonates software from the Central Bank of the Russian Federation, and “SECURITY_FSB” or “ФСБ,” which impersonates an FSB antivirus product1. Its entire user interface is in Russian, confirming a highly focused targeting strategy. Upon execution, the application runs a fake antivirus scan, a clever ruse designed to build trust with the victim. This scan randomly returns between one and three false positives approximately 30% of the time to simulate genuine security software activity and discourage the user from removing it1.
To achieve its espionage goals, the malware requests a dangerous set of permissions during installation. These include accessibility services, which grant it the ability to perform keylogging and steal data from other applications; permission to use the camera and microphone; permission for background activity; and even permissions that would allow it to delete all device data and change the lock screen password1. The abuse of the accessibility service is particularly effective for stealing data from specific applications, including Telegram, WhatsApp, Gmail, Chrome, and various Yandex applications.
Technical Capabilities and Command & Control
Android.Backdoor.916.origin is a full-spectrum surveillance tool. Its capabilities are extensive and designed for persistent access to a compromised device. It can activate the camera for live streaming and record audio from the microphone without user interaction. The malware harvests a wide array of personal and corporate data, including SMS messages, complete contact lists, call histories, precise geolocation data, and all stored images on the device2.
Furthermore, the backdoor can log all keystrokes entered on the device, capture the screen, and execute arbitrary shell commands with elevated privileges, effectively giving the threat actor full remote control. The malware is engineered for persistence, incorporating self-protection mechanisms to avoid detection and removal. Analysis also revealed code designed to allow the malware to switch between up to 15 different hosting providers for its command and control (C2) infrastructure, though this feature was not active at the time of Dr. Web’s report1.
Communication with the C2 server is structured, using separate ports for transmitting different types of stolen data, which can aid in network-based detection. The malware establishes these connections to receive instructions and exfiltrate the harvested information.
Broader Threat Landscape and Context
This campaign is not an isolated incident but part of a broader trend of highly localized mobile malware. A parallel example is the Zanubis Android banking trojan, detailed by Kaspersky’s Global Research and Analysis Team (GReAT)3. Zanubis, which primarily targets users in Peru, has evolved from mimicking PDF readers in 2022 to impersonating applications from a local energy company and a local bank in its 2025 campaign. It is distributed via APK files named to resemble bills or invoices (e.g., `Boleta_XXXXXX.apk`).
Leandro Cuozzo, a Security Researcher at Kaspersky GReAT, noted: *“Zanubis has demonstrated a clear evolution, transitioning from a simple banking Trojan to a highly sophisticated and multi-faceted threat… They continue to adjust their tactics, shifting distribution methods to ensure the malware reaches new victims and executes silently.”*3 This mirrors the tactical evolution seen in Android.Backdoor.916.origin, where threat actors use deep knowledge of local institutions to craft convincing lures.
The strategic environment may also be permissive for such threats. Recent reporting indicates that Russian state actors are degrading voice call quality on WhatsApp and Telegram to push users towards domestic platforms like “Max”4. This erosion of trust in established, encrypted messaging apps could make users more susceptible to downloading malicious applications that are presented as “secure” alternatives.
Defensive Recommendations and Mitigation
For organizations, particularly those with personnel in the targeted region, a multi-layered defensive posture is required. Technical controls must be reinforced with user education. Technical controls include enforcing policies that prevent the installation of applications from unknown sources (sideloading) on corporate devices. Network monitoring should be configured to look for traffic to the known IoCs published by Dr. Web5.
Endpoint Detection and Response (EDR) or Mobile Device Management (MDM) solutions should be configured to alert on the installation of applications requesting the dangerous combination of permissions this malware requires, especially the accessibility service. User awareness training is critical and should specifically highlight this campaign’s distribution method: unsolicited private messages containing links to download security software. Users must be instructed to only install applications from official vendor websites or sanctioned app stores.
The discovery of Android.Backdoor.916.origin in January 2025 and its broader public disclosure in August 2025 illustrates a common challenge in cybersecurity: the gap between private discovery and public awareness6. This delay underscores the need for proactive threat hunting based on emerging IoCs rather than relying solely on public news cycles for defensive measures.
The Android.Backdoor.916.origin campaign is a stark reminder of the effectiveness of socially engineered, highly targeted malware. By impersonating trusted national institutions, threat actors have successfully crafted a lure that bypasses technical controls by exploiting human psychology. This incident highlights the continuous need for a security strategy that balances robust technical defenses with ongoing user education and awareness, especially for high-value targets within an organization. The availability of IoCs provides defenders with a starting point for hunting and remediation efforts.
