新的Android间谍软件Android.Backdoor.916.origin伪装成与俄罗斯联邦安全局(FSB)相关的杀毒软件"GuardCB",专门针对俄罗斯商业高管。该恶意软件通过请求危险权限和利用无障碍服务实现对设备的全面控制,并能够窃取短信、联系人、通话记录、地理位置、图像以及实时音频/视频流等敏感数据。其设计目的是进行定向攻击,并通过多个控制服务器和15个主机提供商实现隐蔽性和持久性。 2025-8-25 07:16:1 Author: securityaffairs.com(查看原文) 阅读量:31 收藏
Android.Backdoor.916.origin malware targets Russian business executives
New Android spyware Android.Backdoor.916.origin is disguised as an antivirus linked to Russia’s intelligence agency FSB, and targets business executives.
Doctor Web researchers observed a multifunctional backdoor Android.Backdoor.916.origin targeting Android devices belonging to representatives of Russian businesses.
The malware executes attacker commands, enabling surveillance, keylogging, and theft of chats, browser data, and even live camera/audio streams.
The experts observed the first versions of the backdoor in January 2025. Since its discovery, the researchers have monitored the evolution of this threat identifying multiple versions. Doctor Web speculates that Android.Backdoor.916.origin was designed to be employed in targeted attacks against representatives of Russian businesses.
“Attackers distribute a backdoor APK file via private messages in messengers under the guise of an antivirus called “GuardCB”. The application has an icon resembling the emblem of the Central Bank of the Russian Federation against the background of a shield. At the same time, its interface provides only one language – Russian.” reads the report published by Doctor Web.
“That is, the malicious program is entirely focused on Russian users. This is confirmed by other detected modifications with file names such as “SECURITY_FSB”, “FSB” and others, which cybercriminals are trying to pass off as security programs allegedly related to Russian law enforcement agencies.”
The fake antivirus app mimics real security tools to avoid removal, running simulated scans with random fake detections. On installation, it requests dangerous permissions, including geolocation, SMS, media, camera, audio, background activity, data deletion, lock screen changes, and Accessibility Service, giving attackers full control and stealthy persistence on the device.
The malware constantly maintains its services, connecting to a C2 to steal SMS, contacts, call logs, geolocation, images, stream audio/video/screen, execute commands, and send device info, using separate ports for each data type.
Android.Backdoor.916.origin exploits the Accessibility Service to keylog and steal data from apps like Telegram, WhatsApp, Gmail, Chrome, and Yandex browsers, and can self-protect from removal.
“Android.Backdoor.916.origin has the ability to work with a large number of control servers, information about which is located in its configuration. In addition, it has the ability to switch between hosting providers, the number of which reaches 15, but at present such functionality is not used.” concludes the report that also includes Indicators of compromise. “The Doctor Web antivirus laboratory has notified domain registrars of the corresponding violations.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
如有侵权请联系:admin#unsafe.sh