Cybersecurity researchers at Dr.Web have identified a sophisticated new mobile threat targeting Russian enterprises through an advanced Android backdoor designated as Android.Backdoor.916.origin. This Kotlin-based malware represents a significant escalation in mobile cyber threats, demonstrating advanced technical capabilities specifically designed for targeted attacks against domestic business networks.
Threat Discovery and Evolution Timeline
The malware samples first emerged in January 2025, indicating recent development by cybercriminal groups with substantial resources. Security analysts have documented multiple iterations of the threat, revealing continuous refinement and enhancement of its malicious capabilities. This rapid evolution pattern suggests active deployment by advanced persistent threat (APT) groups specializing in long-term corporate network infiltration.
Distribution occurs through personalized messenger communications, indicating extensive reconnaissance and social engineering preparation. This targeted approach aligns with sophisticated threat actor methodologies, where attackers invest significant time researching potential victims before launching attacks.
Advanced Social Engineering Tactics
The malware employs particularly deceptive disguise mechanisms, masquerading as a legitimate antivirus application called GuardCB. The fake security app features convincing visual elements mimicking official Central Bank of Russia branding, complete with Russian-language interface elements designed to build user trust and credibility.
Additional variants utilize filenames such as SECURITY_FSB and “ФСБ” (FSB in Cyrillic), exploiting user confidence in government security agencies. These naming conventions demonstrate deep understanding of the target demographic’s psychological vulnerabilities and institutional trust patterns.
Deceptive User Interface Design
Upon installation, the malicious application simulates authentic antivirus scanning processes with programmed false positive detection rates reaching 30%. The fake scanner reports between one and three fabricated security issues, creating convincing illusions of legitimate protective software functionality while establishing persistent device access.
Comprehensive Surveillance Capabilities
Android.Backdoor.916.origin possesses extensive espionage functionalities that pose severe risks to corporate data security. The malware can conduct covert audio surveillance, stream live video feeds from device cameras, and function as a comprehensive keylogger capturing all user input activities.
The backdoor specifically targets popular communication platforms and browsers, including Telegram, WhatsApp, Google Chrome, Gmail, Yandex Start, and Yandex Browser. This focus on widely-used applications maximizes potential data collection from business communications and web activities.
Technical Infrastructure and Persistence
The malware leverages Android Accessibility Services to implement keylogging functions and establish self-protection mechanisms against removal attempts. This technique represents a sophisticated understanding of Android security architecture and demonstrates advanced mobile malware development capabilities.
Network infrastructure includes support for multiple command-and-control servers with capability to switch between 15 different hosting providers, although this redundancy feature remains inactive in current samples. The architecture utilizes separate communication ports for different data types, enabling efficient organization of stolen information transmission.
Operational Security and Countermeasures
The malware maintains operational persistence through multiple background services with minute-by-minute activity monitoring, ensuring continuous functionality even during system optimization or security scans. Dr.Web researchers have initiated infrastructure disruption efforts by notifying domain registrars about identified malicious hosting resources.
The emergence of Android.Backdoor.916.origin highlights the evolving sophistication of mobile threats targeting enterprise environments. Organizations must implement comprehensive mobile security strategies including employee education on digital hygiene practices, deployment of mobile device management solutions, and integration of advanced threat detection capabilities. Only through layered security approaches can businesses effectively defend against these targeted, technically advanced cyber attacks.
