Dr. Web researchers have discovered new Android malware that masquerades as Russian FSB antivirus and is used to spy on Russian business leaders.
The malware is called Android.Backdoor.916.origin. It is not related to any known Trojan families, which indicates that it was originally developed. The attackers are distributing the application under the guise of “GuardCB” (allegedly from the Central Bank of the Russian Federation) and “SECURITY\_FSB” / “FSB”. The application interface is available only in Russian, which confirms that the attacks are aimed exclusively at Russian users.aa
After installation, the application requests dangerous permissions: geolocation, access to SMS and media files, recording audio and video, controlling the screen lock, and running in the background. During the “scan” it simulates a check and in 30% of cases shows fake threats. In reality, its functions are interception of messages, calls, messenger data, access to the camera and microphone, execution of commands via C2 servers and self-protection from deletion.
The threat was first recorded in January 2025, and since then it has been constantly updated. Dr. Web analysts have discovered up to 15 backup hosting providers that are not yet involved, but indicate the authors’ desire to make the malware resistant to blocking. The publication of indicators of compromise on GitHub should help defenders detect infection in time. Similar campaigns using fake state brands have already been used in the Russian Federation, but this case is distinguished by the depth of functionality and focus on the corporate sector.
New spyware disguised as “FSB antivirus” shows how dangerous attacks using trust in state brands are. The target was business structures, which indicates the attackers’ interest in corporate information. At the same time, the example demonstrates the need for users to check the origin of programs and not trust “official” applications without confirming their authenticity.
