Full Report
A new Android malware posing as an antivirus tool software created by Russia's Federal Security Services agency (FSB) is being used to target executives of Russian businesses. [...]
Analysis Summary
# Threat Actor: Unknown/Unattributed Operator utilizing Android.Backdoor.916.origin
## Attribution & Identity
* **Identification:** Threat actors utilizing Android spyware tracked as 'Android.Backdoor.916.origin'.
* **Attribution/Association:** Believed to be associated with entities interested in targeting Russian businesses, utilizing lures impersonating Russian intelligence agencies (FSB) or the Central Bank of the Russian Federation. No direct link to a known APT group was established in the report.
* **Aliases and Lures:** The malware uses lures branded as "GuardCB" (impersonating the Central Bank of the Russian Federation), "SECURITY\_FSB", and "ФСБ" (FSB), suggesting an attempt to masquerade as official Russian security software.
## Activity Summary
* **Historical Activities:** The malware was initially discovered in January 2025, with subsequent, continuously developed versions observed thereafter.
* **Campaign Focus:** The actors are engaged in targeted attacks against executives within Russian businesses, using social engineering based on national security or financial legitimacy.
## Tactics, Techniques & Procedures
* **Infection Chain:** Deception via fraudulent Android application disguised as legitimate antivirus/security software.
* **Execution & Evasion:** Requests numerous high-risk permissions upon installation (geo-location, SMS, media access, camera/audio recording, Accessibility Service). Simulates a fake AV scan to prevent users from immediately uninstalling the app.
* **Persistence:** Utilizes mechanisms to maintain persistence, including enabling self-protection, and is designed for resilience with the capability to switch between up to 15 hosting providers (currently not fully active).
* **Command & Control (C2):** Connects to C2 infrastructure to receive specific commands.
* **Data Exfiltration Capabilities (Key TTPs):**
* Exfiltrate SMS, contacts, call history, geo-location data, and stored images.
* Stream camera and microphone feeds.
* Log user input via a keylogger.
* Capture text content from major messenger apps and browsers (Telegram, WhatsApp, Gmail, Chrome, Yandex apps).
* Execute arbitrary shell commands.
## Targeting
* **Sectors:** Executives of Russian businesses.
* **Geography:** Primarily focused on Russian users/entities, as evidenced by the Russian-only language interface and official impersonations.
* **Victims:** Executives within Russian businesses.
## Tools & Infrastructure
* **Malware Families:** 'Android.Backdoor.916.origin' (shows no links to known malware families reported by Dr. Web).
* **Infrastructure (C2):** Utilizes C2 infrastructure capable of resilient hosting across up to 15 providers. Indicators of Compromise (IOCs) were shared in a GitHub repository by Dr. Web.
## Implications
This malware represents a significant threat to targeted Russian business executives, blending sophisticated spyware functionality with effective social engineering centered around domestic trust factors (FSB, Central Bank). The multi-stage development and inherent resilience design suggest a well-resourced, persistent threat operator focused on espionage and surveillance within the Russian corporate environment.
## Mitigations
* **Security Awareness:** Educate executives regarding applications posing as official security software from Russian government or financial bodies.
* **Permission Scrutiny:** Enforce strict review of application permissions, especially requests for Accessibility Services and background operation rights on Android devices.
* **Mobile Threat Defense:** Deploy mobile endpoint security solutions capable of detecting suspicious behavior associated with new, unknown malware families.
* **Infrastructure Monitoring:** Monitor network traffic for connections to known or newly emerging C2 infrastructure associated with Android.Backdoor.916.origin IOCs.