A brand new Android malware posing as an antivirus device software program created by Russia’s Federal Safety Companies company (FSB) is getting used to focus on executives of Russian companies.
In a brand new report from Russian cell safety agency Dr. Net, researchers monitor the brand new spyware and adware as ‘Android.Backdoor.916.origin,’ discovering no hyperlinks to identified malware households.
Amongst its numerous capabilities, the malware can eavesdrop on conversations, stream from the telephone’s digicam, log person enter with a keylogger, or exfiltrate communication information from messenger apps.
Dr. Net experiences that, because the preliminary discovery of this malware in January 2025, it has sampled a number of subsequent variations, indicating steady growth.
Primarily based on the distribution lures, an infection strategies, and the truth that its interface solely presents the Russian language possibility, the researchers consider it was designed for focused assaults towards Russian companies.
Dr. Net has seen two principal branding makes an attempt, one named “GuardCB,” impersonating the Central Financial institution of the Russian Federation, and two variants named “SECURITY_FSB” and “ФСБ” (FSB), supposedly making an attempt to impersonate software program from the Russian intelligence company.
“On the identical time, its interface offers just one language – Russian. That’s, the bug is solely centered on Russian customers,” experiences Dr. Net.
“That is confirmed by different detected modifications with file names resembling “SECURITY_FSB”, “FSB” and others, which cybercriminals try to go off as safety packages allegedly associated to Russian regulation enforcement companies.”
Though the antivirus device lacks security-related options, it makes an attempt to imitate a real safety device to stop the sufferer from eradicating it from their system.
Supply: Dr. Net
When the person clicks on ‘scan,’ the interface shows a simulation programmed to return a pretend constructive lead to 30% of the time, with the variety of pretend detections ranging (randomly) between 1 and three.
Upon set up, the malware requests granting a number of high-risk permissions like geo-location, entry to SMS and media recordsdata, digicam and audio recording, Accessibility Service, and permission to run within the background always.
Supply: Dr. Net
Subsequent, it launches a number of providers by means of which it connects to the command and management (C2) to obtain instructions resembling:
- Exfiltrate SMS, contacts, name historical past, geo-location, and saved pictures
- Activate the microphone, digicam, and display streaming
- Seize textual content enter and messenger or browser content material (Telegram, WhatsApp, Gmail, Chrome, Yandex apps)
- Execute shell instructions, keep persistence, and allow self-protection
Dr. Net discovered that the malware can swap between as much as 15 internet hosting suppliers, and although this perform is not at present lively, it reveals the malware is designed for resilience.
The analysts shared the whole indicators of compromise associated to Android.Backdoor.916.origin on this GitHub repository.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration developments.
