Fake Antivirus App Spreads Android Malware to Spy on Russian Users

Doctor Web warns of Android.Backdoor.916.origin, a fake antivirus app that spies on Russian users by stealing data, streaming audio and video.

Cybersecurity researchers at Doctor Web are warning about a new strain of Android malware called Android.Backdoor.916.origin. The malware has been operational since January 2025 and is capable of listening to conversations, stealing messages, streaming video, and logging keystrokes.

This is the second time in the last four months that researchers have spotted malware targeting Russian infrastructure. In April 2022, Doctor Web exposed a fake Alpine Quest mapping app that was spying on the Russian military.

****Fake Anti-Virus Android App with Fake Results****

Doctor Web’s team believes it is not a mass infection attempt aimed at everyday Android owners, but a tool created to target Russian business representatives. The distribution method backs this theory as attackers are pushing the malware through direct messages in messengers, disguising it as an anti-virus called GuardCB.

The fake app uses a disguise to trick victims. Its icon resembles the emblem of the Russian Central Bank placed on a shield, making it look trustworthy. Once installed, it runs what looks like an antivirus scan, complete with fake detection results that are randomly generated to appear convincing.

“This is confirmed by other detected modifications with names like “SECURITY_FSB”, “ФСБ” (FSB), and others, which cybercriminals are trying to pass off as security-related programs that are supposedly related to Russian law enforcement agencies,“ noted Dr Web researchers in their blog post.

Once installed, the backdoor requests a list of permissions, from geolocation and audio recording to camera access and SMS data. It also demands device administrator rights and access to Android’s Accessibility Service, which lets it act like a keylogger and intercept content from popular apps, including the following:

• Gmail
• Telegram
• WhatsApp
• Yandex Browser
• Google Chrome

Malware asking for permissions in the Russian language (Via Doctor Web)

****Livestreaming Audio and Broadcast Video****

Doctor Web researchers explain that the malware is designed for persistence. It launches its own background services, checks if they are running every minute, and restarts them if needed. It also communicates with multiple command-and-control servers, capable of switching between as many as 15 hosting providers if attackers want to keep the infrastructure alive.

The list of available commands, available in Doctor Web’s report, shows the extent of its spying capabilities. It can livestream audio from a microphone, broadcast video from the camera, steal text as users type it, and upload contacts, SMS, images, and call history. Additionally, it even has the ability to stream a device’s screen in real time.

****Exploiting Android’s Accessibility Service****

The malware also takes advantage of Android’s Accessibility Service as a way to protect itself. This feature is abused not only to steal keystrokes but also to block attempts to remove the malware if attackers issue such a command. That self-protection capability means even if victims realize their device is compromised, removal can be difficult without dedicated security software.

Doctor Web notes that while the malware is advanced, it is also highly localized. Its interface is available only in Russian, supporting the view that it was built with a specific group of targets in mind.

If you are an Android user in Russia, only download apps from trusted sources and avoid letting Android’s open-source nature become an open invitation for hackers.