Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Android.Backdoor.916.origin malware targets Russian business executives

New Android spyware Android.Backdoor.916.origin is disguised as an antivirus linked to Russia’s intelligence agency FSB, and targets business executives. Doctor Web researchers observed a multifunctional backdoor Android.Backdoor.916.origin targeting Android devices belonging to representatives of Russian businesses. The malware executes attacker commands, enabling surveillance, keylogging, and theft of chats, browser data, and even live camera/audio streams. […]

Android.Backdoor.916.origin

New Android spyware Android.Backdoor.916.origin is disguised as an antivirus linked to Russia’s intelligence agency FSB, and targets business executives.

Doctor Web researchers observed a multifunctional backdoor Android.Backdoor.916.origin targeting Android devices belonging to representatives of Russian businesses.

The malware executes attacker commands, enabling surveillance, keylogging, and theft of chats, browser data, and even live camera/audio streams.

The experts observed the first versions of the backdoor in January 2025. Since its discovery, the researchers have monitored the evolution of this threat identifying multiple versions. Doctor Web speculates that Android.Backdoor.916.origin was designed to be employed in targeted attacks against representatives of Russian businesses.

“Attackers distribute a backdoor APK file via private messages in messengers under the guise of an antivirus called “GuardCB”. The application has an icon resembling the emblem of the Central Bank of the Russian Federation against the background of a shield. At the same time, its interface provides only one language – Russian.” reads the report published by Doctor Web.

“That is, the malicious program is entirely focused on Russian users. This is confirmed by other detected modifications with file names such as “SECURITY_FSB”, “FSB” and others, which cybercriminals are trying to pass off as security programs allegedly related to Russian law enforcement agencies.”

The fake antivirus app mimics real security tools to avoid removal, running simulated scans with random fake detections. On installation, it requests dangerous permissions, including geolocation, SMS, media, camera, audio, background activity, data deletion, lock screen changes, and Accessibility Service, giving attackers full control and stealthy persistence on the device.

The malware constantly maintains its services, connecting to a C2 to steal SMS, contacts, call logs, geolocation, images, stream audio/video/screen, execute commands, and send device info, using separate ports for each data type.

Android.Backdoor.916.origin exploits the Accessibility Service to keylog and steal data from apps like Telegram, WhatsApp, Gmail, Chrome, and Yandex browsers, and can self-protect from removal.

“Android.Backdoor.916.origin has the ability to work with a large number of control servers, information about which is located in its configuration. In addition, it has the ability to switch between hosting providers, the number of which reaches 15, but at present such functionality is not used.” concludes the report that also includes Indicators of compromise. “The Doctor Web antivirus laboratory has notified domain registrars of the corresponding violations.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)