Android backdoor spies on Russian business employees

Aug. 25, 2025, 11:32 a.m.

Description

A sophisticated Android backdoor named Android.Backdoor.916.origin is targeting Russian business representatives. The malware, disguised as an antivirus app called 'GuardCB', has extensive surveillance capabilities including intercepting calls, streaming camera footage, stealing data from messaging apps and browsers, and keylogging. Distributed via messenger apps, it requests numerous system permissions and connects to C2 servers for commands. The backdoor can transmit SMS messages, contact lists, call logs, location data, and captured audio/video streams. It uses Accessibility Service to log keystrokes and intercept content from specific apps like Telegram and Chrome. The malware is believed to be used for targeted attacks rather than mass distribution.

External References

https://raw.githubusercontent.com/DoctorWebLtd/malware-iocs/refs/heads/master/Android.Backdoor.916.origin/README.adoc
http://news.drweb.ru/show/?i=15047&lng=ru
https://otx.alienvault.com/pulse/68ac4107332fb8f01c93e2ac
Tags
backdoor
surveillance
android
spyware
russian
2025-08-25
mobile-malware
business
android.backdoor.916.origin
targeted-attack

Date

  • Created: Aug. 25, 2025, 10:55 a.m.
  • Published: Aug. 25, 2025, 10:55 a.m.
  • Modified: Aug. 25, 2025, 11:32 a.m.

Attack Patterns

  • Android.Backdoor.916.origin

Additional Informations

  • Finance
  • Government
  • Russian Federation